change_request_destination(): Reject rewrites from http to https
authorFabian Keil <fk@fabiankeil.de>
Thu, 7 Jan 2021 13:41:17 +0000 (14:41 +0100)
committerFabian Keil <fk@fabiankeil.de>
Sun, 10 Jan 2021 15:48:22 +0000 (16:48 +0100)
... as they currently aren't supported.

Previously we would wait for the client to establish
an encrypted connection which obviously would not happen.

jcc.c

diff --git a/jcc.c b/jcc.c
index a5e561f..4b85fe7 100644 (file)
--- a/jcc.c
+++ b/jcc.c
@@ -1044,6 +1044,16 @@ static jb_err change_request_destination(struct client_state *csp)
       log_error(LOG_LEVEL_ERROR, "Couldn't parse rewritten request: %s.",
          jb_err_to_string(err));
    }
+   if (http->ssl && strcmpic(csp->http->gpc, "CONNECT"))
+   {
+      /*
+       * A client header filter changed the request URL from
+       * http:// to https:// which we currently don't support.
+       */
+      log_error(LOG_LEVEL_ERROR, "Changing the request destination from http "
+         "to https behind the client's back currently isn't supported.");
+      return JB_ERR_PARSE;
+   }
 
    return err;
 }