REORG: http: move has_forbidden_char() from h2.c to http.h
Origin: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=
4a776fd01560a8dfa7a57b30b4d5249c8da7b12c
This function is not H2 specific but rather generic to HTTP. We'll
need it in H3 soon, so let's move it to HTTP and rename it to
http_header_has_forbidden_char().
(cherry picked from commit
d4069f3cee0f6e94afaec518b6373dd368073f52)
[ad: backported for next patch BUG/MAJOR: h3: reject header values
containing invalid chars]
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit
21c4ffd025115058994a3e2765c17fc3cee52f90)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit
9c0bc4f201cf58c10706416cb4807c0f4794f8ac)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
Gbp-Pq: Name REORG-http-move-has_forbidden_char-from-h2.c-to-http.patch
haproxy (2.6.12-1+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
* REORG: http: move has_forbidden_char() from h2.c to http.h
* BUG/MAJOR: h3: reject header values containing invalid chars
* BUG/MAJOR: http: reject any empty content-length header value
(CVE-2023-40225) (Closes: #
1043502)
* MINOR: ist: add new function ist_find_range() to find a character range
* MINOR: http: add new function http_path_has_forbidden_char()
* MINOR: h2: pass accept-invalid-http-request down the request parser
* REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri
tests
* BUG/MINOR: h1: do not accept '#' as part of the URI component
(CVE-2023-45539)
* BUG/MINOR: h2: reject more chars from the :path pseudo header
* BUG/MINOR: h3: reject more chars from the :path pseudo header
* REGTESTS: http-rules: verify that we block '#' by default for
normalize-uri
* DOC: clarify the handling of URL fragments in requests
[dgit import unpatched haproxy 2.6.12-1+deb12u1]
projects / haproxy.git / log