Does anyone with a working install want a quick project? We need to block the Upgrade header field by default. What this will require is a new configuration command, like
AllowUpgrade None | word ... where word is any protocol name, like HTTP/2.0, waka, websocket, etc. The config command must only be allowed in rsrc_conf. We then need a check somewhere in the http filter for an incoming request header field called "Upgrade". If present and the config option is set to None (or default), then remove the Upgrade field before it is seen by the request handler (i.e., before it might be used by some module or CGI script to send the server down a rat hole). If the config option is set and not None, then set the Upgrade header field-value to be the intersection of what was sent by the client and what is allowed by the config. Likewise, perform the same filtering on outbound responses. In other words, only allow a handler to upgrade the connection if it has been explicitly configured by the main server config to be an okay thing to do. Any takers? If not, I'll give it a try next week when I am back from the IETF. ....Roy