]> git.proxmox.com Git - pve-http-server.git/blobdiff - src/PVE/APIServer/AnyEvent.pm
projects / pve-http-server.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
requests: assert that theres no @ in the URLs authority
[pve-http-server.git] / src / PVE / APIServer / AnyEvent.pm
diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index dc12e7bd02139879ce444aa6924ec8c5ad7100a0..9de623815b2ddfea50a7647e87e51005cc668ff7 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -1574,6 +1574,11 @@ sub push_request_header {
                        $self->error($reqstate, 506, "http protocol version $maj.$min not supported");
                        return;
                    }
+                   if ($url =~ m|^[^/]*@|) {
+                       # if an '@' comes before the first slash proxy forwarding might consider
+                       # the frist part of the url to be part of an authority...
+                       $self->error($reqstate, 400, "invalid url");
+                   }
 
                    $self->{request_count}++; # only count valid request headers
                    if ($self->{request_count} >= $self->{max_requests}) {
PVE HTTP Server