Hi all, On Fri, Aug 20, 2021 at 02:52:32PM +0300, Jarno Huuskonen wrote: > Hi, > > On 8/20/21 2:20 PM, Lukas Tribus wrote: > > On Fri, 20 Aug 2021 at 13:08, ???? ??????? <[email protected]> wrote: > > > > > > double slashes behaviour is changed in BUG/MEDIUM: > > > h2: match absolute-path not path-absolute for :path · > > > haproxy/haproxy@46b7dff (github.com) > > > > Actually, I think the patch you are referring to would *fix* this > > particular issue, as it was committed AFTER the last releases: > > > > https://github.com/haproxy/haproxy/commit/46b7dff8f08cb6c5c3004d8874d6c5bc689a4c51 > > > > It was this fix that probably caused the issue: > > https://github.com/haproxy/haproxy/commit/4b8852c70d8c4b7e225e24eb58258a15eb54c26e > > > > > > Using the latest git, applying the patch manually or running a > > 20210820 snapshot would fix this. > > > > Yes, 2.4.3+"BUG/MEDIUM: h2: match absolute-path not path-absolute for :path" > and https://www.example.com// appears to work again.
Yes that's definitely it. The bug this time was in the HTTP/2 spec itself, so when we're too lax regarding the spec it opens vulnerabilities and when we respect it, it causes trouble. After some deep analysis I brought the topic on the HTTP working group and the consensus was that indeed the bug is in the spec, which was fixed, and I modified haproxy accordingly after that. Given that till now I got only one report from a hosting platform, I considered that it was probably not common at all and that upgrades were not likely needed right now and could wait a bit for more important fixes. However, if it's really too much hassle for some to apply just this fix, we could emit a new set of versions (2.4, 2.3, 2.2). Please just keep in mind that it's always some extra work especially for the distro maintainers. Contrary to what I wrote in the commit message, 2.0 is OK. Please advise! Thanks, Willy
