35d63cc3c7
As reported by Ben Kallus in the following thread: https://www.mail-archive.com/haproxy@formilux.org/msg46471.html there exist some agents which mistakenly accept CRLF inside quoted chunk extensions, making it possible to fool them by injecting one extra chunk they won't see for example, or making them miss the end of the body depending on how it's done. Haproxy, like most other agents nowadays, doesn't care at all about chunk extensions and just drops them, in agreement with the spec. However, as discussed, since chunk extensions are basically never used except for attacks, and that the cost of just matching quote pairs and checking backslashed quotes is escape consistency remains relatively low, it can make sense to add such a check to abort the message parsing when this situation is encountered. Note that it has to be done at two places, because there is a fast path and a slow path for chunk parsing. Also note that it *will* cause transfers using improperly formatted chunk extensions to fail, but since these are really not used, and that the likelihood of them being used but improperly quoted certainly is much lower than the risk of crossing a broken parser on the client's request path or on the server's response path, we consider the risk as acceptable. The test is not subject to the configurable parser exceptions and it's very unlikely that it will ever be needed. Since this is done in 3.4 which will be LTS, this patch will have to be backported to 3.3 so that any unlikely trouble gets a chance to be detected before users upgrade to 3.4. Thanks to Ben for the discussion, and to Rajat Raghav for sparking it in the first place even though the original report was mistaken. Cc: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> Cc: Rajat Raghav <xclow3n@gmail.com> Cc: Christopher Faulet <cfaulet@haproxy.com>
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.