From b706fca13338ea233f5546eac7cdc5014a1c18b5 Mon Sep 17 00:00:00 2001
From: "Alan M. Carroll" <amc@apache.org>
Date: Sat, 21 May 2022 18:28:31 +0100
Subject: [PATCH] Add some checking to validate the scheme matches the wire
 protocol.

Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21

Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_38161.patch
---
 proxy/http/HttpSM.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 0f737fa1..7bc79756 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -732,6 +732,17 @@ HttpSM::state_read_client_request_header(int event, void *data)
   case PARSE_RESULT_DONE:
     SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id);
 
+    if (!is_internal) {
+      auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+      if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+          (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+        SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+                client_connection_is_ssl ? "tls" : "plaintext");
+        t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+        call_transact_and_set_next_state(HttpTransact::BadRequest);
+        break;
+      }
+    }
     ua_txn->set_session_active();
 
     if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) &&
-- 
2.30.2