From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 25 Mar 2021 10:06:54 +0000 (+0100)
Subject: receive_client_request(): Reject https URLs without CONNECT request
X-Git-Tag: v_3_0_34~141
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/@default-cgi@toggle?a=commitdiff_plain;h=358601f7ad1aa1ad97dce91261e584c65296ab64;p=privoxy.git

receive_client_request(): Reject https URLs without CONNECT request
---

diff --git a/jcc.c b/jcc.c
index 36ac4f06..17aa0392 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1813,6 +1813,19 @@ static jb_err receive_client_request(struct client_state *csp)
       free_http_request(http);
       return JB_ERR_PARSE;
    }
+   if (http->ssl && strcmpic(http->gpc, "CONNECT"))
+   {
+      write_socket_delayed(csp->cfd, CHEADER, strlen(CHEADER),
+         get_write_delay(csp));
+      /* XXX: Use correct size */
+      log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0",
+         csp->ip_addr_str);
+      log_error(LOG_LEVEL_ERROR, "Client %s tried to send a https "
+         "URL without sending a CONNECT request first",
+         csp->ip_addr_str);
+      free_http_request(http);
+      return JB_ERR_PARSE;
+   }
 
    /* grab the rest of the client's headers */
    init_list(headers);