[core] thwart h2 request tunnelling

Existing behavior: strict header parsing, strict host parsing, and basic url normalization are enabled by default in lighttpd, and protect against h2 request tunnelling attempts using invalid chars in headers. Keeping strict parsing settings enabled is strongly recommended. If any are explicitly disabled in lighttpd.conf, then this patch takes steps to thwart h2 request tunnelling. x-ref: "HTTP/2: The Sequel is Always Worse" https://portswigger.net/research/http2
2021-10-18 17:44:04 -04:00 · 2021-10-18 17:44:04 -04:00 · 92f2ac9b3f
parent 438dadde52
commit 92f2ac9b3f
1 changed files with 4 additions and 0 deletions
--- a/src/request.c
+++ b/src/request.c
@ -48,6 +48,7 @@ __attribute_pure__
 static const char * http_request_check_line_minimal (const char * const restrict s, const uint_fast32_t len) {
    for (uint_fast32_t i = 0; i < len; ++i) {
        if (__builtin_expect( (s[i] == '\0'), 0)) return s+i;
+        if (__builtin_expect( (s[i] == '\n'), 0)) return s+i;
    }
    return NULL;
 }
@ -1012,12 +1013,15 @@ static int http_request_parse_header_other(request_st * const restrict r, const
        case ' ':
        case '\t':
            return http_request_header_line_invalid(r, 400, "WS character in key -> 400");
+        case '\r':
+        case '\n':
        case '(':
        case ')':
        case '<':
        case '>':
        case '@':
        case ',':
+        case ':':
        case ';':
        case '\\':
        case '\"':