@@ -28,6 +28,34 @@ static int (*ap_proxy_clear_connection_fn)(request_rec *r, apr_table_t *headers)
2828static apr_status_t ap_proxygetline (apr_bucket_brigade * bb , char * s , int n ,
2929 request_rec * r , int flags , int * read );
3030
31+ static int filter_underscored_headers (request_rec * r , proxy_server_conf * conf )
32+ {
33+ const apr_array_header_t * hdrs_arr = apr_table_elts (r -> headers_in );
34+ const apr_table_entry_t * hdrs = (const apr_table_entry_t * ) hdrs_arr -> elts ;
35+ int i ;
36+
37+ if (conf -> underscored_headers == underscored_headers_allow )
38+ return OK ;
39+
40+ for (i = 0 ; i < hdrs_arr -> nelts ; i ++ ) {
41+ if (!hdrs [i ].key ) continue ;
42+ if (!ap_strchr (hdrs [i ].key , '_' )) continue ;
43+ if (conf -> underscored_headers == underscored_headers_drop ) {
44+ ap_log_rerror (APLOG_MARK , APLOG_TRACE1 , 0 , r , APLOGNO (10519 )
45+ "dropped underscored header '%s'" , hdrs [i ].key );
46+ apr_table_unset (r -> headers_in , hdrs [i ].key );
47+ }
48+ if (conf -> underscored_headers == underscored_headers_reject ) {
49+ ap_log_rerror (APLOG_MARK , APLOG_INFO , 0 , r , APLOGNO (10520 )
50+ "rejected request for underscored header '%s'" ,
51+ hdrs [i ].key );
52+ return HTTP_BAD_REQUEST ;
53+ }
54+ }
55+
56+ return OK ;
57+ }
58+
3159static const char * get_url_scheme (const char * * url , int * is_ssl )
3260{
3361 const char * u = * url ;
@@ -1966,6 +1994,13 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
19661994 }
19671995 ap_log_rerror (APLOG_MARK , APLOG_TRACE1 , 0 , r , "HTTP: serving URL %s" , url );
19681996
1997+ /* check if any request header contains underscore (_),
1998+ drop such header or reject the whole request accordingly to conf
1999+ */
2000+ if ((status = filter_underscored_headers (r , conf )) != OK ) {
2001+ return status ;
2002+ }
2003+
19692004 /* create space for state information */
19702005 if ((status = ap_proxy_acquire_connection (scheme , & backend ,
19712006 worker , r -> server )) != OK ) {
0 commit comments