[6.0] 3643aab3b h2: Allow :path * for OPTIONS

Thu Apr 4 14:33:09 UTC 2024

commit 3643aab3bef97006247dd2fd2d5d0bbb0a9abf5f
Author: Dag Haavi Finstad <daghf at varnish-software.com>
Date:   Fri Mar 10 19:59:50 2023 +0100

    h2: Allow :path * for OPTIONS
    
    Conflicts:
            bin/varnishd/http2/cache_http2_proto.c

diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
index 055cb3e33..1e46c4b8d 100644
--- a/bin/varnishd/http2/cache_http2_hpack.c
+++ b/bin/varnishd/http2/cache_http2_hpack.c
@@ -135,8 +135,9 @@ h2h_addhdr(struct h2h_decode *d, struct http *hp, char *b, size_t namelen,
 			disallow_empty = 1;
 
 			// rfc7540,l,3060,3071
-			if ((len > 0 && *b != '/') ||
-			    (len > 1 && *(b+1) == '/')) {
+			if (((len > 0 && *b != '/') ||
+			    (len > 1 && *(b+1) == '/')) &&
+			    (strncmp(b, "*", len) != 0)) {
 				VSLb(hp->vsl, SLT_BogoHeader,
 				    "Illegal :path pseudo-header %.*s",
 				    (int)len, b);
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 4d2d7134b..f7c4c5973 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -687,6 +687,13 @@ h2_end_headers(struct worker *wrk, struct h2_sess *h2,
 
 	AN(req->http->hd[HTTP_HDR_PROTO].b);
 
+	if (*req->http->hd[HTTP_HDR_URL].b == '*' &&
+	    (Tlen(req->http->hd[HTTP_HDR_METHOD]) != 7 ||
+	    strncmp(req->http->hd[HTTP_HDR_METHOD].b, "OPTIONS", 7))) {
+		VSLb(h2->vsl, SLT_BogoHeader, "Illegal :path pseudo-header");
+		return (H2SE_PROTOCOL_ERROR); //rfc7540,l,3068,3071
+	}
+
 	req->req_step = R_STP_TRANSPORT;
 	req->task.func = h2_do_req;
 	req->task.priv = req;
diff --git a/bin/varnishtest/tests/a02027.vtc b/bin/varnishtest/tests/a02027.vtc
index 731f72aca..ff34b0071 100644
--- a/bin/varnishtest/tests/a02027.vtc
+++ b/bin/varnishtest/tests/a02027.vtc
@@ -27,3 +27,43 @@ client c1 {
 	} -run
 
 } -run
+
+client c1 {
+	stream 3 {
+		txreq -noadd -hdr ":authority" "foo.com" -hdr ":path" "*a" -hdr ":scheme" "http" -hdr ":method" "GET"
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c1 {
+	stream 1 {
+		txreq -noadd -hdr ":authority" "foo.com" -hdr ":path" "*" -hdr ":scheme" "http" -hdr ":method" "GET"
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c1 {
+	stream 1 {
+		txreq -noadd -hdr ":authority" "foo.com" -hdr ":path" "*" -hdr ":scheme" "http" -hdr ":method" "OPTIONS"
+		rxresp
+		expect resp.status == 200
+	} -run
+} -run
+
+client c1 {
+	stream 1 {
+		txreq -noadd -hdr ":authority" "foo.com" -hdr ":path" "*" -hdr ":scheme" "http" -hdr ":method" "OPTIONs"
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c1 {
+	stream 1 {
+		txreq -noadd -hdr ":authority" "foo.com" -hdr ":path" "*" -hdr ":scheme" "http" -hdr ":method" "OPTIONSx"
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
