From 7a474855b4e676e8f37ee7365606e93cff9b9933 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 25 Feb 2026 16:00:39 +0100 Subject: [PATCH] BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/" When the response is parsed, we test the version to be sure it is valid. However, the protocol was not tested. Now we take care that the response version starts by "HTTP/", otherwise an error is returned. Of course, it is still possible to by-pass this test with "accept-unsafe-violations-in-http-response" option. This patch could be backported to all stable versions. --- src/h1_htx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/h1_htx.c b/src/h1_htx.c index 2fd6540ba..fbd635347 100644 --- a/src/h1_htx.c +++ b/src/h1_htx.c @@ -110,7 +110,7 @@ static int h1_process_res_vsn(struct h1m *h1m, union h1_sl *sl) if (sl->st.v.len != 8) return 0; - if (*(sl->st.v.ptr + 4) != '/' || + if (!istnmatch(sl->st.v, ist("HTTP/"), 5) || !isdigit((unsigned char)*(sl->st.v.ptr + 5)) || *(sl->st.v.ptr + 6) != '.' || !isdigit((unsigned char)*(sl->st.v.ptr + 7)))