From: Willy Tarreau <w@1wt.eu>
Date: Tue, 8 Aug 2023 19:53:51 +0200
Subject: REGTESTS: http-rules: verify that we block '#' by default for
 normalize-uri
Origin: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=dbf47600f63ffe161ce08d2f0faef7e0deb32b6e

Since we now block fragments by default, let's add an extra test there
to confirm that it's blocked even when stripping it.

(cherry picked from commit 4d0175b54b2b4eeb01aa6e31282b0a5b0d7d8ace)
 [ad: backported to test conformance of BUG/MINOR: h1: do not accept '#'
  as part of the URI component]
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit b3f26043df74c661155566a0abd56103e8116078)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit 41d161ccbbfa846b4b17ed0166ff08f6bf0c3ea1)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit b6b330eb117d520a890e5b3cd623eaa73479db1b)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 73b9b13ac2654ef5384789685e3d65ca5f2f880a)
[wt: rewrote the test for 2.2 without normalize-uri and called it
 fragments-in-uri]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 reg-tests/http-rules/fragment_in_uri.vtc | 39 ++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 reg-tests/http-rules/fragment_in_uri.vtc

diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc
new file mode 100644
index 000000000000..720fc26c16dc
--- /dev/null
+++ b/reg-tests/http-rules/fragment_in_uri.vtc
@@ -0,0 +1,39 @@
+varnishtest "check for fragments in URL"
+#REQUIRE_VERSION=2.0
+
+# This reg-test checks that '#' is properly blocked in requests
+
+feature ignore_unknown_macro
+
+server s1 {
+    rxreq
+    txresp -hdr "connection: close"
+} -start
+
+haproxy h1 -conf {
+    global
+        # WT: limit false-positives causing "HTTP header incomplete" due to
+        # idle server connections being randomly used and randomly expiring
+        # under us.
+        tune.idle-pool.shared off
+
+    defaults
+        mode http
+        timeout connect 1s
+        timeout client  1s
+        timeout server  1s
+
+    frontend fe_fragment_block
+        bind "fd@${fe_fragment_block}"
+        default_backend be
+
+    backend be
+        server s1 ${s1_addr}:${s1_port}
+
+} -start
+
+client c11 -connect ${h1_fe_fragment_block_sock} {
+    txreq -url "/#foo"
+    rxresp
+    expect resp.status == 400
+} -run
-- 
2.43.0