We don't expect any userinfo in the authority and t o avoid that this
allows some leverage in doing weird things later its better to error
out early on such requests.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
$self->error($reqstate, 506, "http protocol version $maj.$min not supported");
return;
}
+ if ($url =~ m|^[^/]*@|) {
+ # if an '@' comes before the first slash proxy forwarding might consider
+ # the frist part of the url to be part of an authority...
+ $self->error($reqstate, 400, "invalid url");
+ }
$self->{request_count}++; # only count valid request headers
if ($self->{request_count} >= $self->{max_requests}) {