From 75ad1cacb78b337b601e0c1af1b8a2600c16ecb3 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Sat, 2 Jul 2022 08:27:02 +0200 Subject: [PATCH] requests: assert that theres no @ in the URLs authority We don't expect any userinfo in the authority and t o avoid that this allows some leverage in doing weird things later its better to error out early on such requests. Signed-off-by: Thomas Lamprecht Originally-by: Wolfgang Bumiller --- src/PVE/APIServer/AnyEvent.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index 8afe142..2ad0baf 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -1560,6 +1560,11 @@ sub push_request_header { $self->error($reqstate, 506, "http protocol version $maj.$min not supported"); return; } + if ($url =~ m|^[^/]*@|) { + # if an '@' comes before the first slash proxy forwarding might consider + # the frist part of the url to be part of an authority... + $self->error($reqstate, 400, "invalid url"); + } $self->{request_count}++; # only count valid request headers if ($self->{request_count} >= $self->{max_requests}) {