[6.0] cfb79576b VSV00007 Test case for H2 smuggling attack

Martin Blix Grydeland martin at varnish-software.com
Tue Jul 13 10:06:08 UTC 2021


commit cfb79576b229c6c4d7d39bbe05fec977020fa8c9
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Tue Jun 22 11:47:58 2021 +0200

    VSV00007 Test case for H2 smuggling attack

diff --git a/bin/varnishtest/tests/f00007.vtc b/bin/varnishtest/tests/f00007.vtc
new file mode 100644
index 000000000..1cf45aad1
--- /dev/null
+++ b/bin/varnishtest/tests/f00007.vtc
@@ -0,0 +1,82 @@
+varnishtest "H/2 content length smuggling attack"
+
+server s1 {
+	rxreqhdrs
+	expect_close
+} -start
+
+server s2 {
+	rxreqhdrs
+	expect_close
+} -start
+
+server s3 {
+	rxreq
+	expect_close
+} -start
+
+server s4 {
+	rxreq
+	expect req.body == "A"
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+	import vtc;
+	sub vcl_backend_fetch {
+		if (bereq.url == "/1") {
+			set bereq.backend = s1;
+		} else if (bereq.url == "/2") {
+			set bereq.backend = s2;
+		} else if (bereq.url == "/3") {
+			set bereq.backend = s3;
+		} else {
+			set bereq.backend = s4;
+		}
+	}
+} -start
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+
+client c1 {
+	stream 1 {
+		txreq -req POST -url /1 -hdr "content-length" "1" -nostrend
+		txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n"
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c2 {
+	stream 1 {
+		txreq -req POST -url /2 -hdr "content-length" "1" -nostrend
+		txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n" -nostrend
+		txdata
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c3 {
+	stream 1 {
+		txreq -req POST -url /3 -hdr "content-length" "1" -nostrend
+		txdata -data "A" -nostrend
+		txdata -data "GET /FAIL HTTP/1.1\r\n\r\n"
+		rxwinup
+		rxrst
+		expect rst.err == PROTOCOL_ERROR
+	} -run
+} -run
+
+client c4 {
+	stream 1 {
+		txreq -req POST -url /4 -hdr "content-length" "1" -nostrend
+		txdata -data "A" -nostrend
+		txdata
+		rxwinup
+		rxwinup
+		rxresp
+		expect resp.status == 200
+	} -run
+} -run


More information about the varnish-commit mailing list