Merge pull request #296 from cloudfoundry/haproxy-2-5-7

maxmoehl · web-flow · commit 199f18269e42 · 2022-07-12T16:41:34.000+02:00
HAProxy 2.5.7 and `h1-accept-payload-with-any-method`
diff --git a/ci/release_notes.md b/ci/release_notes.md
@@ -3,9 +3,10 @@
 
 # New Features
 - socat is directly executable due to a symlink
+- expose `h1-accept-payload-with-any-method` as `ha_proxy.always_allow_body_http10`
 
 # Upgrades
-- None
+- HAProxy 2.5.4 -> 2.5.7
 
 # Acknowledgements
 
diff --git a/config/blobs.yml b/config/blobs.yml
@@ -1,7 +1,7 @@
-haproxy/haproxy-2.5.4.tar.gz:
-  size: 3819082
-  object_id: 8b4e411e-1726-45ba-4d57-8f2a23df8d58
-  sha: sha256:dc4015d85c7fef811b459803b763001d809b07a9251dc1864fedb9a07b44aefb
+haproxy/haproxy-2.5.7.tar.gz:
+  size: 3832801
+  object_id: 7427e80b-f2b1-4d20-6176-644309b53c63
+  sha: sha256:e29f6334c6bdb521f63ddf335e2621bd2164503b99cf1f495b6f56ff9f3c164e
 haproxy/hatop:
   size: 72445
   object_id: 17a5f66c-bbc1-4e4d-681c-e36420d3e0f5
diff --git a/haproxy-patches/disable-http10-body-in-get-request.patch b/haproxy-patches/disable-http10-body-in-get-request.patch
diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec
@@ -677,3 +677,6 @@ properties:
   ha_proxy.enable_http2:
     description: Enables ingress (frontend) and egress (backend) HTTP/2 ALPN negotiation. Egress (backend) HTTP protocol version may be overriden by `ha_proxy.backend_ssl`, `ha_proxy.disable_backend_http2_websockets` and `ha_proxy.backend_match_http_protocol`.
     default: false
+  ha_proxy.always_allow_body_http10:
+    description: Always allow a body to be sent when using HTTP/1.0. By default HAProxy denies GET/HEAD/DELETE requests with a body when using HTTP/1.0 due to potential request smuggling attacks. See https://github.com/haproxy/haproxy/commit/e136bd12a32970bc90d862d5fe09ea1952b62974
+    default: false
diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
@@ -276,6 +276,9 @@ global
   <%- if backend_match_http_protocol && backends.length == 2 -%>
     set-var proc.h2_alpn_tag str(h2)
   <%- end -%>
+  <%- if p("ha_proxy.always_allow_body_http10") %>
+    h1-accept-payload-with-any-method
+  <%- end %>
 
 defaults
     log global
diff --git a/packages/haproxy/packaging b/packages/haproxy/packaging
@@ -10,8 +10,8 @@ PCRE_VERSION=10.40
 # http://www.dest-unreach.org/socat/download/socat-1.7.4.1.tar.gz
 SOCAT_VERSION=1.7.4.1
 
-# http://www.haproxy.org/download/2.5/src/haproxy-2.5.4.tar.gz
-HAPROXY_VERSION=2.5.4
+# https://www.haproxy.org/download/2.5/src/haproxy-2.5.7.tar.gz
+HAPROXY_VERSION=2.5.7
 
 mkdir ${BOSH_INSTALL_TARGET}/bin
 
diff --git a/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb b/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb
@@ -491,4 +491,16 @@
       expect(defaults).to include('option allbackups')
     end
   end
+
+  context 'when ha_proxy.always_allow_body_http10 is true' do
+    let(:properties) do
+      {
+        'always_allow_body_http10' => true
+      }
+    end
+
+    it 'sets the global option' do
+      expect(global).to include('h1-accept-payload-with-any-method')
+    end
+  end
 end
