Skip to content

fix(920100): drop HTTP/0.9 GET support from request line validation#4621

Merged
fzipi merged 2 commits into
mainfrom
fix/920100-drop-http09
Apr 22, 2026
Merged

fix(920100): drop HTTP/0.9 GET support from request line validation#4621
fzipi merged 2 commits into
mainfrom
fix/920100-drop-http09

Conversation

@fzipi
Copy link
Copy Markdown
Member

@fzipi fzipi commented Apr 20, 2026
edited
Loading

what

  • remove the GET-without-protocol alternative from regex-assembly/920100.ra
  • regenerate the compiled regex in rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf (shorter, simpler)
  • remove the misleading "HTTP/0.9 for legacy clients" example from crs-setup.conf.example and add a note that HTTP/0.9 is no longer supported

why

  • HTTP/0.9 is obsolete per RFC 9110
  • the GET HTTP/0.9 branch was the only alternative that did not require a protocol suffix in the request line, leaving an inconsistency: rule 920430 already excludes HTTP/0.9 from tx.allowed_http_versions by default, but rule 920100 accepted HTTP/0.9 request-line syntax
  • the crs-setup.conf.example legacy hint would have led users to a half-working configuration (HTTP/0.9 allowed at the protocol level, but blocked at the request-line level)
  • GET requests with proper HTTP/1.x, HTTP/2, or HTTP/3 protocols remain covered by the generic method alternative

refs

  • RFC 9110 (HTTP Semantics)

ai disclosure

  • tools used: Claude (Opus 4.7)
  • assisted with: analysis of the existing regex alternatives, identification of the HTTP/0.9 branch as removable given RFC 9110, drafting the .ra edit, regenerating the compiled regex via crs-toolchain regex update 920100, drafting the crs-setup.conf.example comment update, drafting this PR description
  • review performed: verified the regex change manually (ran crs-toolchain regex compare/generate, inspected diff); confirmed all 16 existing regression tests for 920100 still pass; verified the removed HTTP/0.9 behavior manually by sending GET /\r\n\r\n via nc and confirming rule 920100 now fires (log entry present); cross-checked rule 920430's default tx.allowed_http_versions to confirm consistency; read RFC 9110 to verify HTTP/0.9 status

@fzipi
fix(920100): drop HTTP/0.9 GET support from request line validation
27ccd6d 
remove the GET-without-protocol alternative from the regex assembly.
HTTP/0.9 is obsolete per RFC 9110 and the dedicated alternative was
the only one that did not require a protocol suffix in the request
line. GET requests with proper HTTP/1.x or HTTP/2 protocol versions
remain covered by the generic method alternative.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi fzipi requested a review from Copilot April 20, 2026 21:49
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes HTTP/0.9-style GET request-line support from rule 920100 to align request-line validation with RFC 9110 and existing protocol-version enforcement behavior in the 920xxx ruleset.

Changes:

  • Removes the HTTP/0.9 GET /... (no protocol suffix) alternative from regex-assembly/920100.ra.
  • Regenerates/simplifies the compiled 920100 request-line regex in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
  • Updates crs-setup.conf.example to remove the HTTP/0.9 “legacy clients” example and document that HTTP/0.9 is no longer supported.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Updates the compiled REQUEST_LINE validation regex for rule 920100 after removing HTTP/0.9 support.
regex-assembly/920100.ra Drops the standalone HTTP/0.9 GET request-line pattern from the regex assembly source.
crs-setup.conf.example Removes the HTTP/0.9 example for tx.allowed_http_versions and adds a note clarifying current support.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Comment thread rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@fzipi fzipi requested a review from a team April 20, 2026 21:53
theseion
theseion requested changes Apr 21, 2026
View reviewed changes
Comment thread rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Outdated
Comment thread rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Outdated
airween
airween previously approved these changes Apr 21, 2026
View reviewed changes
@fzipi @theseion
Apply suggestions from code review
a3d2e02 
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
@fzipi fzipi requested review from airween and theseion April 21, 2026 13:11
@fzipi
Copy link
Copy Markdown
Member Author

fzipi commented Apr 21, 2026

Now, there is the suggestion from @airween to backport this change to LTS v4.25.x.

For those who think this is a good idea, please add your 👍 here.

@airween airween added the backport:lts-4.25 PR that must be backported to LTS release label Apr 21, 2026
@HackingRepo
Copy link
Copy Markdown
Contributor

HackingRepo commented Apr 21, 2026

Of course HTTP/0.9 it must be dropped, in the security perspective

@fzipi fzipi added this pull request to the merge queue Apr 22, 2026
Merged via the queue into main with commit f8402a9 Apr 22, 2026
8 checks passed
@fzipi fzipi deleted the fix/920100-drop-http09 branch April 22, 2026 12:07
@fzipi fzipi mentioned this pull request Apr 22, 2026
Merged
@theseion theseion mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@theseion theseion theseion approved these changes

@airween airween Awaiting requested review from airween

Assignees

No one assigned

Labels

backport:lts-4.25 PR that must be backported to LTS release release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fzipi @HackingRepo @airween @theseion