[master] 85a42d7d7 test and document VRT_ValidHdr()

Nils Goroll nils.goroll at uplex.de
Wed Oct 14 13:00:08 UTC 2020


commit 85a42d7d740c42eed677a3cbd2796eec3dd5d135
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Wed Oct 14 13:30:40 2020 +0200

    test and document VRT_ValidHdr()

diff --git a/bin/varnishtest/tests/b00040.vtc b/bin/varnishtest/tests/b00040.vtc
index 5e396b386..902bcc8ca 100644
--- a/bin/varnishtest/tests/b00040.vtc
+++ b/bin/varnishtest/tests/b00040.vtc
@@ -10,12 +10,21 @@ server s1 {
 } -start
 
 varnish v1 -vcl+backend {
+	import debug;
+
 	sub vcl_recv {
 		if (req.url == "/9") {
 			set req.http.foo = {"
 			"};
 		}
 	}
+	sub vcl_deliver {
+		if (req.url == "/9") {
+			set resp.http.valid1 = debug.validhdr({"
+			"});
+			set resp.http.valid2 = debug.validhdr("a");
+		}
+	}
 } -start
 
 logexpect l1 -v v1 -g raw {
@@ -105,4 +114,6 @@ client c1 {
 	txreq -url /9
 	rxresp
 	expect resp.status == 200
+	expect resp.http.valid1 == false
+	expect resp.http.valid2 == true
 } -run
diff --git a/doc/changes.rst b/doc/changes.rst
index a80914c52..4b7c61886 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -37,6 +37,11 @@ Varnish Cache Next (2021-03-15)
   set headers are now validated to contain only characters allowed by
   RFC7230. A (runtime) VCL failure is triggered if not.
 
+* ``VRT_ValidHdr()`` has been added for vmods to conduct the same
+  check as the ``validate_headers`` feature, for example when headers
+  are set by vmods using the ``cache_http.c`` Functions like
+  ``http_ForceHeader()`` from untrusted input.
+
 * The shard director now supports reconfiguration (adding/removing
   backends) of several instances without any special ordering
   requirement.
diff --git a/include/vrt.h b/include/vrt.h
index 7e31480a4..f9894ed73 100644
--- a/include/vrt.h
+++ b/include/vrt.h
@@ -52,8 +52,9 @@
  * Whenever something is deleted or changed in a way which is not
  * binary/load-time compatible, increment MAJOR version
  *
- * 13.0 (2020-03-15)
+ * 13.0 (2021-03-15)
  *	Calling convention for VDP implementation changed
+ *	Added VRT_ValidHdr()
  * 12.0 (2020-09-15)
  *	Added VRT_DirectorResolve()
  *	Added VCL_STRING VRT_BLOB_string(VRT_CTX, VCL_BLOB)
diff --git a/lib/libvmod_debug/vmod_debug.c b/lib/libvmod_debug/vmod_debug.c
index 3f7e57b1a..65ce4bed5 100644
--- a/lib/libvmod_debug/vmod_debug.c
+++ b/lib/libvmod_debug/vmod_debug.c
@@ -1208,3 +1208,10 @@ xyzzy_priv_task_with_option(VRT_CTX, struct VARGS(priv_task_with_option) *args)
 		args->priv->priv = WS_Copy(ctx->ws, args->opt, -1);
 	return (args->priv->priv);
 }
+
+VCL_BOOL v_matchproto_(td_xyzzy_validhdr)
+xyzzy_validhdr(VRT_CTX, VCL_STRANDS s)
+{
+	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	return (VRT_ValidHdr(ctx, s));
+}
diff --git a/lib/libvmod_debug/vmod_debug.vcc b/lib/libvmod_debug/vmod_debug.vcc
index f565b456c..4eee74547 100644
--- a/lib/libvmod_debug/vmod_debug.vcc
+++ b/lib/libvmod_debug/vmod_debug.vcc
@@ -312,3 +312,7 @@ Quote an input string to be usable for an exact match in a regular expression.
 $Function STRING priv_task_with_option(PRIV_TASK priv, [STRING opt])
 
 A function mixing a named PRIV_TASK with optional parameters.
+
+$Function BOOL validhdr(STRANDS)
+
+Test if the argument is a valid header according to RFC7230 section 3.2.


More information about the varnish-commit mailing list