#
f5376943 |
| 01-Dec-2023 |
millert <millert@openbsd.org> |
relay_read_http: strip out Content-Length if we strip the body too
We should not forward Content-Length if the body is not also forwarded.
|
#
eefb3de5 |
| 29-Nov-2023 |
millert <millert@openbsd.org> |
relay_read_http: defer header parsing until after line continuation
Wait until we have a complete line before parsing the Content-Length, Transfer-Encoding and Host headers. This prevents potential
relay_read_http: defer header parsing until after line continuation
Wait until we have a complete line before parsing the Content-Length, Transfer-Encoding and Host headers. This prevents potential request smuggling attacks. Filtering already happens after header line continuation has been performed. Reported by Ben Kallus. OK claudio@
show more ...
|
#
1c543edc |
| 28-Nov-2023 |
millert <millert@openbsd.org> |
relay_read_http: tighten up header parsing
1) reject headers with embedded NULs 2) reject headers with invalid characters in the name 3) reject Transfer-Encoding with values other than "chunked" 4)
relay_read_http: tighten up header parsing
1) reject headers with embedded NULs 2) reject headers with invalid characters in the name 3) reject Transfer-Encoding with values other than "chunked" 4) reject chunk values containing non-hex characters 5) reject Content-Length values of "+0" or "-0" 6) reject requests without a ' ' and headers without a ':'
Reported by Ben Kallus, OK bluhm@
show more ...
|
#
b2767518 |
| 28-Dec-2022 |
jmc <jmc@openbsd.org> |
{en,de}queing -> {en,de}queuing; from paul tagliamonte
|
#
03c01c05 |
| 23-Oct-2021 |
benno <benno@openbsd.org> |
do not duplicate "Connection: close" headers and only add it if its not a websockets response. Reported by Marcus MERIGHI and Jonathon Fletcher, this fix is by Jonathon, Thanks! ok claudio@
|
#
e472afa5 |
| 25-Jul-2021 |
benno <benno@openbsd.org> |
The output of server_root_strip() is a string. Use the correct format "%s". Same for the output of relay_expand_http(). with and ok claudio@ Found by Cedric Tessier, thanks!
|
#
53e8df0d |
| 24-Mar-2021 |
benno <benno@openbsd.org> |
Responses to HEAD requests must not have a message body (even though they have a Content-Length header). HTTP RFC 7231 section 4.3.2. found by niklas@, claudio@ agrees.
|
#
eeb1fea4 |
| 09-Jan-2021 |
denis <denis@openbsd.org> |
Add 'strip' directive
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
#
44c7492e |
| 04-Sep-2020 |
bket <bket@openbsd.org> |
Replace TAILQ concatenation loop with TAILQ_CONCAT
OK millert@, florian@
|
#
053cc50e |
| 13-Jul-2019 |
chrisz <chrisz@openbsd.org> |
Don't "forward to <table>" when a "forward to destination" address is set. This matches the documented behaviour. On matching "forward to <table>" filter rules the "forward to destination" address is
Don't "forward to <table>" when a "forward to destination" address is set. This matches the documented behaviour. On matching "forward to <table>" filter rules the "forward to destination" address is unset, so that in that case the "forward to <table>" rule is still used.
OK benno@, regression tests still passing.
show more ...
|
#
c4ec8a1c |
| 05-Jul-2019 |
robert <robert@openbsd.org> |
Add a new macro called $HOST that expands to the Host header's value or falls back to the same value as $SERVER_ADDR in case the Host header is not available.
ok reyk@
|
#
2c58e087 |
| 13-May-2019 |
reyk <reyk@openbsd.org> |
Add Connection: close when switching to "unlimited" reading mode.
Ask the server to close the connection after the request since we don't read any further request headers. This fixes an issue with
Add Connection: close when switching to "unlimited" reading mode.
Ask the server to close the connection after the request since we don't read any further request headers. This fixes an issue with OPTIONS and optional body, as well as similar cases.
Reported and tested by Rivo Nurges
OK benno@
show more ...
|
#
65f47834 |
| 13-May-2019 |
reyk <reyk@openbsd.org> |
Fix filter rules with "forward to" statement in persistent connections.
OK bentley@ mikeb@
|
#
860302f3 |
| 10-May-2019 |
reyk <reyk@openbsd.org> |
Add support for from/to in relay filter rules.
For example, pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
#
a168ef1a |
| 08-May-2019 |
reyk <reyk@openbsd.org> |
Fix and tweak websocket upgrade handling.
- Don't expect the Connection header to equal Upgrade, it may include Upgrade - Reshuffle the code to check the Upgrade/Connection headers in one place
Rep
Fix and tweak websocket upgrade handling.
- Don't expect the Connection header to equal Upgrade, it may include Upgrade - Reshuffle the code to check the Upgrade/Connection headers in one place
Reported and tested by Rivo Nurges
OK and input from benno@ Cvs: ----------------------------------------------------------------------
show more ...
|
#
e7742cb1 |
| 04-Mar-2019 |
benno <benno@openbsd.org> |
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia
Support for rfc 6455 Websockets connection upgrade. Add a new protocol option 'http { [no] websockets }' to allow such connections (default is no). Original diff from Daniel Lamando (dan AT danopia DOT net), option and header checks by me. suggestions and ok bluhm@ and earlier diff claudio@
show more ...
|
#
0be9d00a |
| 06-Aug-2018 |
benno <benno@openbsd.org> |
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host
replace the current log options
log updates|all
with
log state changes log host checks log connection [errors]
The first two control the logging of host check results: either changes in host state only or all checks.
The third option controls logging of connections in relay mode: Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
show more ...
|
#
feb6514b |
| 27-Nov-2017 |
benno <benno@openbsd.org> |
rfc 7230 mandates that a "204 No Content" http status must not come with a Content-Lenght Header. Of course some servers still so it and send Content-Lenght: 0. Adjust accordingly. ok claudio@
|
#
954d713b |
| 27-Nov-2017 |
claudio <claudio@openbsd.org> |
Simplify relay_close_http(), make relay_httpdesc_free() accept and ignore a NULL pointer argument (like free()). Also switch a !size to size == 0. OK benno@
|
#
0ad20b85 |
| 15-Nov-2017 |
benno <benno@openbsd.org> |
make the maximum size of http headers configurable in the protocol. ok bluhm@, >8k makes sense claudio@
|
#
536becf6 |
| 23-Sep-2017 |
bluhm <bluhm@openbsd.org> |
The relayd regression tests for chunked HTTP traffic were failing sporadically. If the \r and \n were read in separate chunks, relayd got out of sync with the protocol as they were interpreted as tw
The relayd regression tests for chunked HTTP traffic were failing sporadically. If the \r and \n were read in separate chunks, relayd got out of sync with the protocol as they were interpreted as two lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of evbuffer_readline(). OK benno@
show more ...
|
#
efc39811 |
| 28-May-2017 |
benno <benno@openbsd.org> |
use __func__ in log messages. fix some whitespace while here. From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks! ok florian, claudio
|
#
85e5f500 |
| 27-May-2017 |
claudio <claudio@openbsd.org> |
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General
Migrate relayd to use libtls for TLS. Still does the TLS privsep via the engine but at least we can use a sane API for new features. Going in now so it is possible to work with this in tree. General agreement at d2k17.
show more ...
|
#
d45e8c85 |
| 10-Mar-2017 |
reyk <reyk@openbsd.org> |
DELETE can have a body.
Fix by Rivo Nurges, fixes a problem with Atlassian JIRA
OK benno@
|
#
2166201e |
| 26-Sep-2016 |
reyk <reyk@openbsd.org> |
spacing
|