From: Alan M. Carroll <amc@apache.org>
Date: Sat, 21 May 2022 17:28:31 +0000 (+0100)
Subject: Add some checking to validate the scheme matches the wire protocol.
X-Git-Tag: archive/raspbian/8.1.1+ds-1.1+rpi1+deb11u1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b706fca13338ea233f5546eac7cdc5014a1c18b5;p=trafficserver.git

Add some checking to validate the scheme matches the wire protocol.

Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21

Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_38161.patch
---

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 0f737fa1..7bc79756 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -732,6 +732,17 @@ HttpSM::state_read_client_request_header(int event, void *data)
   case PARSE_RESULT_DONE:
     SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id);
 
+    if (!is_internal) {
+      auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+      if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+          (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+        SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+                client_connection_is_ssl ? "tls" : "plaintext");
+        t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+        call_transact_and_set_next_state(HttpTransact::BadRequest);
+        break;
+      }
+    }
     ua_txn->set_session_active();
 
     if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) &&