Add some checking to validate the scheme matches the wire protocol.

Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21

Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_38161.patch

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 0f737fa1a282f6c884eb4fddc78affba52b37614..7bc7975622d3f287d70bb6ccc72dff647fe9c644 100644 (file)
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -732,6 +732,17 @@ HttpSM::state_read_client_request_header(int event, void *data)
   case PARSE_RESULT_DONE:
     SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id);
 
+    if (!is_internal) {
+      auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+      if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+          (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+        SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+                client_connection_is_ssl ? "tls" : "plaintext");
+        t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+        call_transact_and_set_next_state(HttpTransact::BadRequest);
+        break;
+      }
+    }
     ua_txn->set_session_active();
 
     if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) &&