PORTREVISION=	1

Security fix for CVE-2016-5360

http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b

--- include/types/proto_http.h.orig	Tue May 10 15:42:00 2016

+++ include/types/proto_http.h	Tue Jun 14 15:10:23 2016

@@ -362,7 +362,6 @@ struct http_txn {

 	unsigned int flags;             /* transaction flags */

 	enum http_meth_t meth;          /* HTTP method */

 	/* 1 unused byte here */

-	short rule_deny_status;         /* HTTP status from rule when denying */

 	short status;                   /* HTTP status from the server, negative if from proxy */

 	char *uri;                      /* first line if log needed, NULL otherwise */

Security fix for CVE-2016-5360

http://git.haproxy.org/?p=haproxy-1.6.git;a=commitdiff;h=60f01f8c89e4fb2723d5a9f2046286e699567e0b

--- src/proto_http.c.orig	Sun Dec 27 15:04:17 2015

+++ src/proto_http.c	Wed Jun 15 09:02:24 2016

@@ -3489,10 +3489,12 @@ static int http_transform_header(struct stream* s, str

  * further processing of the request (auth, deny, ...), and defaults to

  * HTTP_RULE_RES_STOP if it executed all rules or stopped on an allow, or

  * HTTP_RULE_RES_CONT if the last rule was reached. It may set the TX_CLTARPIT

- * on txn->flags if it encounters a tarpit rule.

+ * on txn->flags if it encounters a tarpit rule. If <deny_status> is not NULL

+ * and a deny/tarpit rule is matched, it will be filled with this rule's deny

+ * status.

  */

 enum rule_result

-http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s)

+http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status)

 {

 	struct session *sess = strm_sess(s);

 	struct http_txn *txn = s->txn;

@@ -3538,12 +3540,14 @@ resume_execution:

 			return HTTP_RULE_RES_STOP;

 		case ACT_ACTION_DENY:

-			txn->rule_deny_status = rule->deny_status;

+			if (deny_status)

+				*deny_status = rule->deny_status;

 			return HTTP_RULE_RES_DENY;

 		case ACT_HTTP_REQ_TARPIT:

 			txn->flags |= TX_CLTARPIT;

-			txn->rule_deny_status = rule->deny_status;

+			if (deny_status)

+				*deny_status = rule->deny_status;

 			return HTTP_RULE_RES_DENY;

 		case ACT_HTTP_REQ_AUTH:

@@ -4302,6 +4306,7 @@ int http_process_req_common(struct stream *s, struct c

 	struct redirect_rule *rule;

 	struct cond_wordlist *wl;

 	enum rule_result verdict;

+	int deny_status = HTTP_ERR_403;

 	if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {

 		/* we need more data */

@@ -4322,7 +4327,7 @@ int http_process_req_common(struct stream *s, struct c

 	/* evaluate http-request rules */

 	if (!LIST_ISEMPTY(&px->http_req_rules)) {

-		verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);

+		verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);

 		switch (verdict) {

 		case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */

@@ -4368,7 +4373,7 @@ int http_process_req_common(struct stream *s, struct c

 		/* parse the whole stats request and extract the relevant information */

 		http_handle_stats(s, req);

-		verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);

+		verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);

 		/* not all actions implemented: deny, allow, auth */

 		if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */

@@ -4487,9 +4492,9 @@ int http_process_req_common(struct stream *s, struct c

  deny:	/* this request was blocked (denied) */

 	txn->flags |= TX_CLDENY;

-	txn->status = http_err_codes[txn->rule_deny_status];

+	txn->status = http_err_codes[deny_status];

 	s->logs.tv_request = now;

-	stream_int_retnclose(&s->si[0], http_error_message(s, txn->rule_deny_status));

+	stream_int_retnclose(&s->si[0], http_error_message(s, deny_status));

 	stream_inc_http_err_ctr(s);

 	sess->fe->fe_counters.denied_req++;

 	if (sess->fe != s->be)