Hi Tim,

On Tue, Mar 10, 2020 at 12:55:40AM +0100, Tim Duesterhus wrote:
> This patch hardens the verification of the HTTP/1.x version line
> (i.e. the first line within an HTTP/1.x request) to verify that
> the protocol name within the version actually reads "HTTP".
> 
> Previously protocols that superficially resembled the wire-format
> of HTTP/1.x and having a 4-letter acronym as the protocol name, such
> as RTSP would pass this check.

It was on purpose that RTSP passes this check, since commit 63d692c,
as the message framing and the headers are exactly the same as HTTP.
There were a few users. This makes me realize that with HTX it's
probably dead anyway since we'll emit HTTP/1.1 and not RTSP/2.0.

> This patch fixes GitHub issue #540, it must be backported to all
> supported versions.

Hmmm no, let's not backport this as we'll break working setups.
However since we've broken RTSP in 2.1 we should decide whether
we want to continue to support it or definitely drop it. I don't
know who uses it :-/  I'll have a look at the issue above (not
seen yet).

Thanks,
Willy

Reply via email to