ban: Require valid header variables

We must ensure that we get a complete header name before evaluating
a ban, so "req.http." should not be accepted.

Refs #3962

bin/varnishd/cache/cache_ban_build.c

@@ -260,6 +260,9 @@ BAN_AddTest(struct ban_proto *bp,
 
 	VSB_putc(bp->vsb, pv->tag);
 	if (pv->flag & BANS_FLAG_HTTP) {
+		if (strlen(a1 + strlen(pv->name)) < 1)
+			return (ban_error(bp,
+			    "Missing header name: \"%s\"", pv->name));
 		assert(BANS_HAS_ARG1_SPEC(pv->tag));
 		ban_parse_http(bp, a1 + strlen(pv->name));
 	}

bin/varnishtest/tests/r03962.vtc

@@ -10,4 +10,5 @@ varnish v1 -cliexpect {Unknown or unsupported field "obj.ageYY"} "ban obj.ageYY
 varnish v1 -cliexpect {Unknown or unsupported field "req.ur"} "ban req.ur ~ foobarbazzz"
 varnish v1 -cliexpect {Unknown or unsupported field "req.htt"} "ban req.htt ~ foobarbazzz"
 varnish v1 -cliexpect {Unknown or unsupported field "req.htt.XXYY"} "ban req.htt.XXYY ~ foobarbazzz"
+varnish v1 -cliexpect {Missing header name: "obj.http."} "ban obj.http. ~ foobarbazzz"
 varnish v1 -cliok "ban req.http.XXYY ~ foobarbazzz"

doc/changes.rst

@@ -38,6 +38,10 @@ Varnish Cache NEXT (2023-09-15)
 .. PLEASE keep this roughly in commit order as shown by git-log / tig
    (new to old)
 
+* Two bugs in the ban expression parser have been fixed where one of them
+  could lead to a panic if a ban expression with an empty header name was
+  issued (3962_)
+
 * A bug has been fixed where ``unset bereq.body`` had no effect when
   used with a cached body (3914_)
 
@@ -87,6 +91,7 @@ Varnish Cache NEXT (2023-09-15)
 .. _3908: https://github.com/varnishcache/varnish-cache/pull/3908
 .. _3911: https://github.com/varnishcache/varnish-cache/issues/3911
 .. _3914: https://github.com/varnishcache/varnish-cache/pull/3914
+.. _3962: https://github.com/varnishcache/varnish-cache/issues/3962
 
 ================================
 Varnish Cache 7.3.0 (2023-03-15)