On Mon, Jun 8, 2020 at 9:56 AM Ruediger Pluem <[email protected]> wrote:
>
> I came across the question if we should not reject HTTP protocols >= 2.0 in
> the request line when we parse it
> in ap_parse_request_line.
Why not >= 1.2 ?
> A possible patch could look like the following (which rejects such requests
> with a HTTP_VERSION_NOT_SUPPORTED status code):
Looks good.
In the same category, could we reject invalid URI paths earlier
(request-target per RFC-7230 5.3)?
Today it fails in ap_core_translate(), but possibly the below would be better:
Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 1878328)
+++ server/protocol.c (working copy)
@@ -627,6 +627,14 @@ AP_CORE_DECLARE(void) ap_parse_uri(request_rec *r,
}
else {
status = apr_uri_parse(r->pool, uri, &r->parsed_uri);
+ if (status == APR_SUCCESS
+ && (r->parsed_uri.path != NULL)
+ && (r->parsed_uri.path[0] != '/')
+ && (r->method_number != M_OPTIONS
+ || strcmp(r->parsed_uri.path, "*") != 0)) {
+ /* Invalid request-target per rfc7230#section-5.3 */
+ status = APR_EINVAL;
+ }
}
if (status == APR_SUCCESS) {
--
Regards;
Yann.
