test and document VRT_ValidHdr()

85a42d7d · Nils Goroll · 40b6f254 · 85a42d7d · 85a42d7d · 85a42d7d
Unverified Commit 85a42d7d authored Oct 14, 2020 by Nils Goroll
5 changed files
--- a/bin/varnishtest/tests/b00040.vtc
+++ b/bin/varnishtest/tests/b00040.vtc
@@ -10,12 +10,21 @@ server s1 {
 } -start

 varnish v1 -vcl+backend {
+	import debug;
+
 	sub vcl_recv {
 		if (req.url == "/9") {
 			set req.http.foo = {"
 			"};
 		}
 	}
+	sub vcl_deliver {
+		if (req.url == "/9") {
+			set resp.http.valid1 = debug.validhdr({"
+			"});
+			set resp.http.valid2 = debug.validhdr("a");
+		}
+	}
 } -start

 logexpect l1 -v v1 -g raw {
@@ -105,4 +114,6 @@ client c1 {
 	txreq -url /9
 	rxresp
 	expect resp.status == 200
+	expect resp.http.valid1 == false
+	expect resp.http.valid2 == true
 } -run
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -37,6 +37,11 @@ Varnish Cache Next (2021-03-15)
  set headers are now validated to contain only characters allowed by
  RFC7230. A (runtime) VCL failure is triggered if not.

+* ``VRT_ValidHdr()`` has been added for vmods to conduct the same
+  check as the ``validate_headers`` feature, for example when headers
+  are set by vmods using the ``cache_http.c`` Functions like
+  ``http_ForceHeader()`` from untrusted input.
+
 * The shard director now supports reconfiguration (adding/removing
  backends) of several instances without any special ordering
  requirement.

--- a/include/vrt.h
+++ b/include/vrt.h
@@ -52,8 +52,9 @@
 * Whenever something is deleted or changed in a way which is not
 * binary/load-time compatible, increment MAJOR version
 *
- * 13.0 (2020-03-15)
+ * 13.0 (2021-03-15)
 *	Calling convention for VDP implementation changed
+ *	Added VRT_ValidHdr()
 * 12.0 (2020-09-15)
 *	Added VRT_DirectorResolve()
 *	Added VCL_STRING VRT_BLOB_string(VRT_CTX, VCL_BLOB)

--- a/lib/libvmod_debug/vmod_debug.c
+++ b/lib/libvmod_debug/vmod_debug.c
@@ -1208,3 +1208,10 @@ xyzzy_priv_task_with_option(VRT_CTX, struct VARGS(priv_task_with_option) *args)
 		args->priv->priv = WS_Copy(ctx->ws, args->opt, -1);
 	return (args->priv->priv);
 }
+
+VCL_BOOL v_matchproto_(td_xyzzy_validhdr)
+xyzzy_validhdr(VRT_CTX, VCL_STRANDS s)
+{
+	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	return (VRT_ValidHdr(ctx, s));
+}
--- a/lib/libvmod_debug/vmod_debug.vcc
+++ b/lib/libvmod_debug/vmod_debug.vcc
@@ -312,3 +312,7 @@ Quote an input string to be usable for an exact match in a regular expression.
 $Function STRING priv_task_with_option(PRIV_TASK priv, [STRING opt])

 A function mixing a named PRIV_TASK with optional parameters.
+
+$Function BOOL validhdr(STRANDS)
+
+Test if the argument is a valid header according to RFC7230 section 3.2.