Willy, Thierry, Am 10.03.20 um 00:55 schrieb Tim Duesterhus: > This patch hardens the verification of the HTTP/1.x version line > (i.e. the first line within an HTTP/1.x request) to verify that > the protocol name within the version actually reads "HTTP". > > Previously protocols that superficially resembled the wire-format > of HTTP/1.x and having a 4-letter acronym as the protocol name, such > as RTSP would pass this check. > > This patch fixes GitHub issue #540, it must be backported to all > supported versions. The legacy, non-HTX parser is affected as well, > a fix must be created for it as well.
Digging deeper I find commit 63d692c03721d21b6469a97ce7c2e91714fb9408 "MEDIUM: http: allows 'R' and 'S' in the protocol alphabet" from Thierry, introduced in 1.6-dev2 which specifically added support for RTSP (completely undocumented, though). - If RTSP support is desired then it should clearly be documented. - If not then my patch should be updated to remove the "version token" flag from 'R' and 'S' in addition to verifying that the 4 characters are 'HTTP' and not 'HHHH' or whatever. The commit message must also be updated, because XXXX does not pass in any case. Best regards Tim Düsterhus