We implicitly assume that to be the case when assembling the target
URL, so assert it explicitly as it's user controlled input.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
eval {
my $target;
my $keep_alive = 1;
eval {
my $target;
my $keep_alive = 1;
+
+ # stringify URI object and verify it starts with a slash
+ $uri = "$uri";
+ if ($uri !~ m@^/@) {
+ $self->error($reqstate, 400, "invalid proxy uri");
+ return;
+ }
+
if ($host eq 'localhost') {
$target = "http://$host:85$uri";
# keep alive for localhost is not worth (connection setup is about 0.2ms)
if ($host eq 'localhost') {
$target = "http://$host:85$uri";
# keep alive for localhost is not worth (connection setup is about 0.2ms)