summaryrefslogtreecommitdiff
path: root/src/mod_cgi.c
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2021-10-18 16:42:48 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2021-10-27 04:16:38 -0400
commite8a6ed6e350f415b639881291c629957343b5a9c (patch)
tree44f917138a73c40cc8c1441cf33d042f756a7147 /src/mod_cgi.c
parent97eed364fffde377e23ae0821d079ec1b6104d1f (diff)
downloadlighttpd-git-e8a6ed6e350f415b639881291c629957343b5a9c.tar.gz
[core] thwart h2c smuggling when Upgrade enabled
Existing behavior: mod_proxy *does not* forward Upgrade header unless explicitly enabled in lighttpd.conf (default: not enabled) (proxy.header += ("upgrade" => "enable")) mod_cgi previously used to forward Upgrade request header, but would remove Upgrade response header if cgi.upgrade was not explicitly enabled (cgi.upgrade = "enable") This patch thwarts h2c smuggling when lighttpd.conf has also been explicitly configured to pass "Upgrade" request header x-ref: "h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)" https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Diffstat (limited to 'src/mod_cgi.c')
-rw-r--r--src/mod_cgi.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/mod_cgi.c b/src/mod_cgi.c
index 8aa728dc..d956fa08 100644
--- a/src/mod_cgi.c
+++ b/src/mod_cgi.c
@@ -980,10 +980,13 @@ URIHANDLER_FUNC(cgi_is_handled) {
hctx->plugin_data = p;
hctx->cgi_handler = &ds->value;
memcpy(&hctx->conf, &p->conf, sizeof(plugin_config));
- hctx->conf.upgrade =
- hctx->conf.upgrade
- && r->http_version == HTTP_VERSION_1_1
- && light_btst(r->rqst_htags, HTTP_HEADER_UPGRADE);
+ if (!light_btst(r->rqst_htags, HTTP_HEADER_UPGRADE))
+ hctx->conf.upgrade = 0;
+ else if (!hctx->conf.upgrade || r->http_version != HTTP_VERSION_1_1) {
+ hctx->conf.upgrade = 0;
+ http_header_request_unset(r, HTTP_HEADER_UPGRADE,
+ CONST_STR_LEN("Upgrade"));
+ }
hctx->opts.max_per_read =
!(r->conf.stream_response_body /*(if not streaming response body)*/
& (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN))