From c78528d54b56786c9d9147291cbd038dbc104ddb Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 11 Feb 2017 18:42:29 +0900 Subject: [PATCH] nghttpx: Restrict HTTP major and minor in 0 or 1 --- src/shrpx_http_downstream_connection.cc | 5 ++--- src/shrpx_https_upstream.cc | 14 ++++++++------ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/shrpx_http_downstream_connection.cc b/src/shrpx_http_downstream_connection.cc index 86aee9ea..38a099dd 100644 --- a/src/shrpx_http_downstream_connection.cc +++ b/src/shrpx_http_downstream_connection.cc @@ -834,11 +834,10 @@ int htp_hdrs_completecb(http_parser *htp) { resp.http_major = htp->http_major; resp.http_minor = htp->http_minor; - if (resp.http_major > 1) { - // Normalize HTTP version, since we use http_major == 2 specially - // in Downstream::expect_response_trailer(). + if (resp.http_major > 1 || req.http_minor > 1) { resp.http_major = 1; resp.http_minor = 1; + return -1; } auto dconn = downstream->get_downstream_connection(); diff --git a/src/shrpx_https_upstream.cc b/src/shrpx_https_upstream.cc index e70761c7..932de5a0 100644 --- a/src/shrpx_https_upstream.cc +++ b/src/shrpx_https_upstream.cc @@ -335,6 +335,12 @@ int htp_hdrs_completecb(http_parser *htp) { auto host = req.fs.header(http2::HD_HOST); + if (req.http_major > 1 || req.http_minor > 1) { + req.http_major = 1; + req.http_minor = 1; + return -1; + } + if (req.http_major == 1 && req.http_minor == 1 && !host) { return -1; } @@ -1027,14 +1033,10 @@ int HttpsUpstream::on_downstream_header_complete(Downstream *downstream) { auto connect_method = req.method == HTTP_CONNECT; auto buf = downstream->get_response_buf(); - std::array intbuf; - buf->append("HTTP/"); - buf->append(StringRef{std::begin(intbuf), - util::utos(std::begin(intbuf), req.http_major)}); + buf->append('0' + req.http_major); buf->append('.'); - buf->append(StringRef{std::begin(intbuf), - util::utos(std::begin(intbuf), req.http_minor)}); + buf->append('0' + req.http_minor); buf->append(' '); buf->append(http2::stringify_status(balloc, resp.http_status)); buf->append(' ');