From 60b5826849710f8f7bd8dbb8a31f94aef9ae6254 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sat, 21 Oct 2017 21:44:34 -0400
Subject: [PATCH] [core] stricter validation of request-URI begin

check that request-URI begins with '/', "http://", "https://",
or is OPTIONS * request, or else reject with 400 Bad Request unless
server.http-parseopt-header-strict  = "disable" (default is enabled)

x-ref:
  https://redmine.lighttpd.net/boards/3/topics/7637
---
 src/request.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/request.c b/src/request.c
index 950c91ee..fbfed15a 100644
--- a/src/request.c
+++ b/src/request.c
@@ -635,9 +635,15 @@ int http_request_parse(server *srv, connection *con) {
 					reqline_hostlen = nuri - reqline_host;
 
 					buffer_copy_string_len(con->request.uri, nuri, proto - nuri - 1);
-				} else {
+				} else if (!http_header_strict
+					   || (HTTP_METHOD_OPTIONS == con->request.http_method && uri[0] == '*' && uri[1] == '\0')) {
 					/* everything looks good so far */
 					buffer_copy_string_len(con->request.uri, uri, proto - uri - 1);
+				} else {
+					con->http_status = 400;
+					con->keep_alive = 0;
+					log_error_write(srv, __FILE__, __LINE__, "ss", "request-URI parse error -> 400 for:", uri);
+					return 0;
 				}
 
 				/* check uri for invalid characters */