From c2bd69c7b5e9c775f96021cf8ae53da3dbd9029d Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Sat, 2 Jul 2022 08:27:02 +0200 Subject: [PATCH] requests: assert that theres no @ in the URLs authority We don't expect any userinfo in the authority and t o avoid that this allows some leverage in doing weird things later its better to error out early on such requests. Signed-off-by: Thomas Lamprecht Originally-by: Wolfgang Bumiller --- src/PVE/APIServer/AnyEvent.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index dc12e7b..9de6238 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -1574,6 +1574,11 @@ sub push_request_header { $self->error($reqstate, 506, "http protocol version $maj.$min not supported"); return; } + if ($url =~ m|^[^/]*@|) { + # if an '@' comes before the first slash proxy forwarding might consider + # the frist part of the url to be part of an authority... + $self->error($reqstate, 400, "invalid url"); + } $self->{request_count}++; # only count valid request headers if ($self->{request_count} >= $self->{max_requests}) { -- 2.39.2