proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-05-01 17:03:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

requests: assert that theres no @ in the URLs authority

Browse Source 
We don't expect any userinfo in the authority and t o avoid that this
allows some leverage in doing weird things later its better to error
out early on such requests.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-07-02 08:27:02 +02:00
parent 3967071623
commit 75ad1cacb7
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/PVE/APIServer/AnyEvent.pm
View File

@ -1560,6 +1560,11 @@ sub push_request_header {
$self->error($reqstate, 506, "http protocol version $maj.$min not supported"); $self->error($reqstate, 506, "http protocol version $maj.$min not supported");
return; return;
} }
if ($url =~ m|^[^/]*@|) {
# if an '@' comes before the first slash proxy forwarding might consider
# the frist part of the url to be part of an authority...
$self->error($reqstate, 400, "invalid url");
}
$self->{request_count}++; # only count valid request headers $self->{request_count}++; # only count valid request headers
if ($self->{request_count} >= $self->{max_requests}) { if ($self->{request_count} >= $self->{max_requests}) {