diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-10-18 16:42:48 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-10-27 04:16:38 -0400 |
| commit | e8a6ed6e350f415b639881291c629957343b5a9c (patch) | |
| tree | 44f917138a73c40cc8c1441cf33d042f756a7147 /src/h2.c | |
| parent | 97eed364fffde377e23ae0821d079ec1b6104d1f (diff) | |
| download | lighttpd-git-e8a6ed6e350f415b639881291c629957343b5a9c.tar.gz | |
[core] thwart h2c smuggling when Upgrade enabled
Existing behavior: mod_proxy *does not* forward Upgrade header
unless explicitly enabled in lighttpd.conf (default: not enabled)
(proxy.header += ("upgrade" => "enable"))
mod_cgi previously used to forward Upgrade request header, but would
remove Upgrade response header if cgi.upgrade was not explicitly enabled
(cgi.upgrade = "enable")
This patch thwarts h2c smuggling when lighttpd.conf has also been
explicitly configured to pass "Upgrade" request header
x-ref:
"h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)"
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Diffstat (limited to 'src/h2.c')
| -rw-r--r-- | src/h2.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -2810,6 +2810,7 @@ h2_check_con_upgrade_h2c (request_st * const r) buffer * const b = r->tmp_buf; buffer_clear(b); if (r->conf.h2proto > 1/*(must be enabled with server.h2c feature)*/ + && !r->con->is_ssl_sock /*(disallow h2c over TLS socket)*/ && http_header_str_contains_token(BUF_PTR_LEN(http_connection), CONST_STR_LEN("HTTP2-Settings")) |