From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sat, 2 Jul 2022 06:27:02 +0000 (+0200)
Subject: requests: assert that theres no @ in the URLs authority
X-Git-Url: https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff_plain;h=c2bd69c7b5e9c775f96021cf8ae53da3dbd9029d

requests: assert that theres no @ in the URLs authority

We don't expect any userinfo in the authority and t o avoid that this
allows some leverage in doing weird things later its better to error
out early on such requests.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index dc12e7b..9de6238 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -1574,6 +1574,11 @@ sub push_request_header {
 			$self->error($reqstate, 506, "http protocol version $maj.$min not supported");
 			return;
 		    }
+		    if ($url =~ m|^[^/]*@|) {
+			# if an '@' comes before the first slash proxy forwarding might consider
+			# the frist part of the url to be part of an authority...
+			$self->error($reqstate, 400, "invalid url");
+		    }
 
 		    $self->{request_count}++; # only count valid request headers
 		    if ($self->{request_count} >= $self->{max_requests}) {