diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-10-18 16:42:48 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-10-27 04:16:38 -0400 |
commit | e8a6ed6e350f415b639881291c629957343b5a9c (patch) | |
tree | 44f917138a73c40cc8c1441cf33d042f756a7147 /src/mod_cgi.c | |
parent | 97eed364fffde377e23ae0821d079ec1b6104d1f (diff) | |
download | lighttpd-git-e8a6ed6e350f415b639881291c629957343b5a9c.tar.gz |
[core] thwart h2c smuggling when Upgrade enabled
Existing behavior: mod_proxy *does not* forward Upgrade header
unless explicitly enabled in lighttpd.conf (default: not enabled)
(proxy.header += ("upgrade" => "enable"))
mod_cgi previously used to forward Upgrade request header, but would
remove Upgrade response header if cgi.upgrade was not explicitly enabled
(cgi.upgrade = "enable")
This patch thwarts h2c smuggling when lighttpd.conf has also been
explicitly configured to pass "Upgrade" request header
x-ref:
"h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)"
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Diffstat (limited to 'src/mod_cgi.c')
-rw-r--r-- | src/mod_cgi.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/mod_cgi.c b/src/mod_cgi.c index 8aa728dc..d956fa08 100644 --- a/src/mod_cgi.c +++ b/src/mod_cgi.c @@ -980,10 +980,13 @@ URIHANDLER_FUNC(cgi_is_handled) { hctx->plugin_data = p; hctx->cgi_handler = &ds->value; memcpy(&hctx->conf, &p->conf, sizeof(plugin_config)); - hctx->conf.upgrade = - hctx->conf.upgrade - && r->http_version == HTTP_VERSION_1_1 - && light_btst(r->rqst_htags, HTTP_HEADER_UPGRADE); + if (!light_btst(r->rqst_htags, HTTP_HEADER_UPGRADE)) + hctx->conf.upgrade = 0; + else if (!hctx->conf.upgrade || r->http_version != HTTP_VERSION_1_1) { + hctx->conf.upgrade = 0; + http_header_request_unset(r, HTTP_HEADER_UPGRADE, + CONST_STR_LEN("Upgrade")); + } hctx->opts.max_per_read = !(r->conf.stream_response_body /*(if not streaming response body)*/ & (FDEVENT_STREAM_RESPONSE|FDEVENT_STREAM_RESPONSE_BUFMIN)) |