Willy,
Here are 2 patches to fix bugs on replace-header rules. The first one is
similar to the one on redirect rules. It fixes an issue reported by
Holger Just ("Strange behavior of sample fetches in http-response
replace-header option").
The second one is a trivial fix :)
--
Christopher Faulet
>From 8c9496b9b568ec68312210af4a2cfcd3757c7230 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfau...@haproxy.com>
Date: Wed, 8 Feb 2017 12:17:07 +0100
Subject: [PATCH 1/2] BUG/MEDIUM: http: Prevent replace-header from overwriting
a buffer
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
This is the same fix as which concerning the redirect rules (0d94576c).
The buffer used to expand the <replace-fmt> argument must be protected to
prevent it being overwritten during build_logline() execution (the function used
to expand the format string).
This patch should be backported in 1.7, 1.6 and 1.5. It relies on commit b686afd
("MINOR: chunks: implement a simple dynamic allocator for trash buffers") for
the trash allocator, which has to be backported as well.
---
src/proto_http.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 80ba566..3d8005e 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3419,13 +3419,22 @@ static int http_transform_header(struct stream* s, struct http_msg *msg,
struct list *fmt, struct my_regex *re,
int action)
{
- struct chunk *replace = get_trash_chunk();
+ struct chunk *replace;
+ int ret = -1;
+
+ replace = alloc_trash_chunk();
+ if (!replace)
+ goto leave;
replace->len = build_logline(s, replace->str, replace->size, fmt);
if (replace->len >= replace->size - 1)
- return -1;
+ goto leave;
+
+ ret = http_transform_header_str(s, msg, name, name_len, replace->str, re, action);
- return http_transform_header_str(s, msg, name, name_len, replace->str, re, action);
+ leave:
+ free_trash_chunk(replace);
+ return ret;
}
/* Executes the http-request rules <rules> for stream <s>, proxy <px> and
--
2.9.3
>From a1b4dd296f063bf2010116aca01c80b0df1e022d Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfau...@haproxy.com>
Date: Wed, 8 Feb 2017 12:41:31 +0100
Subject: [PATCH 2/2] BUG/MINOR: http: Return an error when a replace-header
rule failed on the response
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Historically, http-response rules couldn't produce errors generating HTTP
responses during their evaluation. This possibility was "implicitly" added with
http-response redirect rules (51d861a4). But, at the time, replace-header rules
were kept untouched. When such a rule failed, the rules processing was just
stopped (like for an accept rule).
Conversely, when a replace-header rule fails on the request, it generates a HTTP
response (400 Bad Request).
With this patch, errors on replace-header rule are now handled in the same way
for HTTP requests and HTTP responses.
This patch should be backported in 1.7 and 1.6.
---
src/proto_http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 3d8005e..5ad2956 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3823,7 +3823,7 @@ resume_execution:
rule->arg.hdr_add.name_len,
&rule->arg.hdr_add.fmt,
&rule->arg.hdr_add.re, rule->action))
- return HTTP_RULE_RES_STOP; /* note: we should report an error here */
+ return HTTP_RULE_RES_BADREQ;
break;
case ACT_HTTP_DEL_HDR:
--
2.9.3