This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit d6462761f284634e482a95974002ed271b0efa1b Author: Alan M. Carroll <a...@apache.org> AuthorDate: Wed Oct 27 13:41:34 2021 -0500 Add some checking to validate the scheme matches the wire protocol. (#8465) (cherry picked from commit 92849ce8e99155c914aea4b82ed63e10e428bee1) Conflicts: proxy/http/HttpSM.cc --- proxy/http/HttpSM.cc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 0416edc..2cf3e6a 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -863,6 +863,18 @@ HttpSM::state_read_client_request_header(int event, void *data) break; } + if (!is_internal) { + auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx(); + if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) || + (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) { + SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme), + client_connection_is_ssl ? "tls" : "plaintext"); + t_state.http_return_code = HTTP_STATUS_BAD_REQUEST; + call_transact_and_set_next_state(HttpTransact::BadRequest); + break; + } + } + if (_from_early_data) { // Only allow early data for safe methods defined in RFC7231 Section 4.2.1. // https://tools.ietf.org/html/rfc7231#section-4.2.1