Line 0
Link Here
|
|
|
1 |
Security fix for CVE-2016-5360 |
2 |
http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b |
3 |
|
4 |
--- src/proto_http.c.orig Sun Dec 27 15:04:17 2015 |
5 |
+++ src/proto_http.c Wed Jun 15 09:02:24 2016 |
6 |
@@ -3489,10 +3489,12 @@ static int http_transform_header(struct stream* s, str |
7 |
* further processing of the request (auth, deny, ...), and defaults to |
8 |
* HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or |
9 |
* HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT |
10 |
- * on txn->flags if it encounters a tarpit rule. |
11 |
+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL |
12 |
+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny |
13 |
+ * status. |
14 |
*/ |
15 |
enum rule_result |
16 |
-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s) |
17 |
+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status) |
18 |
{ |
19 |
struct session *sess = strm_sess(s); |
20 |
struct http_txn *txn = s->txn; |
21 |
@@ -3538,12 +3540,14 @@ resume_execution: |
22 |
return HTTP_RULE_RES_STOP; |
23 |
|
24 |
case ACT_ACTION_DENY: |
25 |
- txn->rule_deny_status = rule->deny_status; |
26 |
+ if (deny_status) |
27 |
+ *deny_status = rule->deny_status; |
28 |
return HTTP_RULE_RES_DENY; |
29 |
|
30 |
case ACT_HTTP_REQ_TARPIT: |
31 |
txn->flags |= TX_CLTARPIT; |
32 |
- txn->rule_deny_status = rule->deny_status; |
33 |
+ if (deny_status) |
34 |
+ *deny_status = rule->deny_status; |
35 |
return HTTP_RULE_RES_DENY; |
36 |
|
37 |
case ACT_HTTP_REQ_AUTH: |
38 |
@@ -4302,6 +4306,7 @@ int http_process_req_common(struct stream *s, struct c |
39 |
struct redirect_rule *rule; |
40 |
struct cond_wordlist *wl; |
41 |
enum rule_result verdict; |
42 |
+ int deny_status = HTTP_ERR_403; |
43 |
|
44 |
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) { |
45 |
/* we need more data */ |
46 |
@@ -4322,7 +4327,7 @@ int http_process_req_common(struct stream *s, struct c |
47 |
|
48 |
/* evaluate http-request rules */ |
49 |
if (!LIST_ISEMPTY(&px->http_req_rules)) { |
50 |
- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s); |
51 |
+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status); |
52 |
|
53 |
switch (verdict) { |
54 |
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */ |
55 |
@@ -4368,7 +4373,7 @@ int http_process_req_common(struct stream *s, struct c |
56 |
|
57 |
/* parse the whole stats request and extract the relevant information */ |
58 |
http_handle_stats(s, req); |
59 |
- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s); |
60 |
+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status); |
61 |
/* not all actions implemented: deny, allow, auth */ |
62 |
|
63 |
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */ |
64 |
@@ -4487,9 +4492,9 @@ int http_process_req_common(struct stream *s, struct c |
65 |
|
66 |
deny: /* this request was blocked (denied) */ |
67 |
txn->flags |= TX_CLDENY; |
68 |
- txn->status = http_err_codes[txn->rule_deny_status]; |
69 |
+ txn->status = http_err_codes[deny_status]; |
70 |
s->logs.tv_request = now; |
71 |
- stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status)); |
72 |
+ stream_int_retnclose(&s->si[0], http_error_message(s, deny_status)); |
73 |
stream_inc_http_err_ctr(s); |
74 |
sess->fe->fe_counters.denied_req++; |
75 |
if (sess->fe != s->be) |