On 24.10.2012 19:13, Jonathan Matthews wrote:
On 24 October 2012 16:03, Dmitry Sivachenko <[email protected]> wrote:
Hello!
I am running haproxy-1.4.22 with option accept-invalid-http-request turned
on (the default).
Do you actually mean "off" here?
Yes, sorry.
It seems that haproxy successfully validates requests with unencoded '%'
characted in it:
http://some.host.net/api/v1/do_smth?lang=en-ru&text=100%%20Pure%20Mulberry%20Queen
(note unencoded % after 100).
I see such requests in my backend's log. I expect haproxy return HTTP 400
(Bad Request) in such cases.
Is it a bug or am I missing something?
Percentage signs are valid in URIs. Your application could be doing
/anything/ with them; HAProxy doesn't know what.
I don't /believe/ it's a validating parser's job to disallow these -
it sounds like you want more of a WAF.
Well, at least from Wikipedia:
http://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_the_percent_character
Because the percent ("%") character serves as the indicator for percent-encoded
octets, it must be percent-encoded as "%25" for that octet to be used as data
within a URI.
When haproxy encounters, say, unencoded whitespace character, it returns HTTP
400. Why '%' should be an exception?
