Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py

Tue, 08 Feb 2022 10:10:48 -0800 

As noted in

   https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432

This doesn't look right to me. I think what you want is to verify that https is
in a secured connection. This should have no effect on other schemes, and
certainly not require all schemes to be http or https.

Literally, the scheme is a naming system, not a protocol. "http" and "https"
and "foo" schemes can be resolved by any protocol that performs requests
on an absolute URI, including HTTP/2. "https" only requires the connection
to be secured end-to-end.

....Roy



> On Feb 8, 2022, at 5:38 AM, ic...@apache.org wrote:
> 
> Author: icing
> Date: Tue Feb  8 13:38:49 2022
> New Revision: 1897872
> 
> URL: http://svn.apache.org/viewvc?rev=1897872&view=rev
> Log:
>  *) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
>    it gives a 400 response if the scheme does not match the
>    connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
> 
> 
> Added:
>    httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
> Modified:
>    httpd/httpd/trunk/modules/http2/h2_stream.c
>    httpd/httpd/trunk/test/modules/http2/test_003_get.py
> 
> Added: httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/http2_request_scheme.txt?rev=1897872&view=auto
> ==============================================================================
> --- httpd/httpd/trunk/changes-entries/http2_request_scheme.txt (added)
> +++ httpd/httpd/trunk/changes-entries/http2_request_scheme.txt Tue Feb  8 
> 13:38:49 2022
> @@ -0,0 +1,3 @@
> +  *) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
> +    it gives a 400 response if the scheme does not match the
> +    connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
> 
> Modified: httpd/httpd/trunk/modules/http2/h2_stream.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_stream.c?rev=1897872&r1=1897871&r2=1897872&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/http2/h2_stream.c (original)
> +++ httpd/httpd/trunk/modules/http2/h2_stream.c Tue Feb  8 13:38:49 2022
> @@ -23,6 +23,7 @@
> #include <http_core.h>
> #include <http_connection.h>
> #include <http_log.h>
> +#include <http_ssl.h>
> 
> #include <nghttp2/nghttp2.h>
> 
> @@ -773,12 +774,10 @@ apr_status_t h2_stream_end_headers(h2_st
>     status = h2_request_end_headers(stream->rtmp, stream->pool, eos, 
> raw_bytes);
>     if (APR_SUCCESS == status) {
>         set_policy_for(stream, stream->rtmp);
> -        stream->request = stream->rtmp;
> -        stream->rtmp = NULL;
> -        
> +
>         ctx.maxlen = stream->session->s->limit_req_fieldsize;
>         ctx.failed_key = NULL;
> -        apr_table_do(table_check_val_len, &ctx, stream->request->headers, 
> NULL);
> +        apr_table_do(table_check_val_len, &ctx, stream->rtmp->headers, NULL);
>         if (ctx.failed_key) {
>             if (!h2_stream_is_ready(stream)) {
>                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
> @@ -790,6 +789,15 @@ apr_status_t h2_stream_end_headers(h2_st
>             /* keep on returning APR_SUCCESS, so that we send a HTTP response 
> and
>              * do not RST the stream. */
>         }
> +        if (stream->rtmp->scheme && strcasecmp(stream->rtmp->scheme,
> +            ap_ssl_conn_is_ssl(stream->session->c1)? "https" : "http")) {
> +                ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
> +                              H2_STRM_LOG(APLOGNO(), stream,"Request :scheme 
> '%s' and "
> +                              "connection do not match."), 
> stream->rtmp->scheme);
> +            set_error_response(stream, HTTP_BAD_REQUEST);
> +        }
> +        stream->request = stream->rtmp;
> +        stream->rtmp = NULL;
>     }
>     return status;
> }
> 
> Modified: httpd/httpd/trunk/test/modules/http2/test_003_get.py
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/http2/test_003_get.py?rev=1897872&r1=1897871&r2=1897872&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/test/modules/http2/test_003_get.py (original)
> +++ httpd/httpd/trunk/test/modules/http2/test_003_get.py Tue Feb  8 13:38:49 
> 2022
> @@ -211,3 +211,11 @@ content-type: text/html
>         assert 1024 == len(r.response["body"])
>         assert "content-length" in h
>         assert clen == h["content-length"]
> +
> +    # use an invalid scheme
> +    def test_h2_003_51(self, env):
> +        url = env.mkurl("https", "cgi", "/")
> +        opt = ["-H:scheme: http"]
> +        r = env.nghttp().get(url, options=opt)
> +        assert r.exit_code == 0, r
> +        assert r.response['status'] == 400
> 
>

Reply via email to