From 755d1c540fb7d72c44fcfc19d835b7f637e0623c Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 8 Aug 2023 19:53:51 +0200 Subject: [PATCH] REGTESTS: http-rules: verify that we block '#' by default for normalize-uri Origin: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=dbf47600f63ffe161ce08d2f0faef7e0deb32b6e Since we now block fragments by default, let's add an extra test there to confirm that it's blocked even when stripping it. (cherry picked from commit 4d0175b54b2b4eeb01aa6e31282b0a5b0d7d8ace) [ad: backported to test conformance of BUG/MINOR: h1: do not accept '#' as part of the URI component] Signed-off-by: Amaury Denoyelle (cherry picked from commit b3f26043df74c661155566a0abd56103e8116078) Signed-off-by: Amaury Denoyelle (cherry picked from commit 41d161ccbbfa846b4b17ed0166ff08f6bf0c3ea1) Signed-off-by: Amaury Denoyelle (cherry picked from commit b6b330eb117d520a890e5b3cd623eaa73479db1b) Signed-off-by: Willy Tarreau (cherry picked from commit 73b9b13ac2654ef5384789685e3d65ca5f2f880a) [wt: rewrote the test for 2.2 without normalize-uri and called it fragments-in-uri] Signed-off-by: Willy Tarreau Gbp-Pq: Name REGTESTS-http-rules-verify-that-we-block-by-default-.patch --- reg-tests/http-rules/fragment_in_uri.vtc | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 reg-tests/http-rules/fragment_in_uri.vtc diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc new file mode 100644 index 0000000..720fc26 --- /dev/null +++ b/reg-tests/http-rules/fragment_in_uri.vtc @@ -0,0 +1,39 @@ +varnishtest "check for fragments in URL" +#REQUIRE_VERSION=2.0 + +# This reg-test checks that '#' is properly blocked in requests + +feature ignore_unknown_macro + +server s1 { + rxreq + txresp -hdr "connection: close" +} -start + +haproxy h1 -conf { + global + # WT: limit false-positives causing "HTTP header incomplete" due to + # idle server connections being randomly used and randomly expiring + # under us. + tune.idle-pool.shared off + + defaults + mode http + timeout connect 1s + timeout client 1s + timeout server 1s + + frontend fe_fragment_block + bind "fd@${fe_fragment_block}" + default_backend be + + backend be + server s1 ${s1_addr}:${s1_port} + +} -start + +client c11 -connect ${h1_fe_fragment_block_sock} { + txreq -url "/#foo" + rxresp + expect resp.status == 400 +} -run -- 2.30.2