From 358601f7ad1aa1ad97dce91261e584c65296ab64 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 25 Mar 2021 11:06:54 +0100
Subject: [PATCH] receive_client_request(): Reject https URLs without CONNECT
 request

---
 jcc.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/jcc.c b/jcc.c
index 36ac4f06..17aa0392 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1813,6 +1813,19 @@ static jb_err receive_client_request(struct client_state *csp)
       free_http_request(http);
       return JB_ERR_PARSE;
    }
+   if (http->ssl && strcmpic(http->gpc, "CONNECT"))
+   {
+      write_socket_delayed(csp->cfd, CHEADER, strlen(CHEADER),
+         get_write_delay(csp));
+      /* XXX: Use correct size */
+      log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0",
+         csp->ip_addr_str);
+      log_error(LOG_LEVEL_ERROR, "Client %s tried to send a https "
+         "URL without sending a CONNECT request first",
+         csp->ip_addr_str);
+      free_http_request(http);
+      return JB_ERR_PARSE;
+   }
 
    /* grab the rest of the client's headers */
    init_list(headers);
-- 
2.39.2