From 90496bffab80389d9c91e985e0ae28c6f9b3ddba Mon Sep 17 00:00:00 2001
From: Saurav Kumar <2020saurav@gmail.com>
Date: Thu, 14 May 2020 19:23:56 -0700
Subject: [PATCH 1/6] Adding HTTP Status code 451 for Unavailable For Legal
 Reasons (RFC 7725)

---
 include/tscpp/api/HttpStatus.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/tscpp/api/HttpStatus.h b/include/tscpp/api/HttpStatus.h
index 1fb3e15efe0..89f6dd8f945 100644
--- a/include/tscpp/api/HttpStatus.h
+++ b/include/tscpp/api/HttpStatus.h
@@ -82,6 +82,7 @@ enum HttpStatus {
   HTTP_STATUS_PRECONDITION_REQUIRED           = 428,
   HTTP_STATUS_TOO_MANY_REQUESTS               = 429,
   HTTP_STATUS_REQUEST_HEADER_FIELDS_TOO_LARGE = 431,
+  HTTP_STATUS_UNAVAILABLE_FOR_LEGAL_REASONS   = 451,
 
   HTTP_STATUS_INTERNAL_SERVER_ERROR           = 500,
   HTTP_STATUS_NOT_IMPLEMENTED                 = 501,

From 8d5d9a45ef3ee1bdec93b3c5778625f430903ad9 Mon Sep 17 00:00:00 2001
From: Valentin Gutierrez <vgutierrez@wikimedia.org>
Date: Thu, 14 May 2020 16:11:36 +0000
Subject: [PATCH 2/6] Use Proxy-Connection iff parent_is_proxy=true

Prior to this change a parent proxy configured as parent_is_proxy=false
would get Proxy-Connection: keep-alive|close instead of
Connection: keep-alive|close
---
 proxy/http/HttpTransact.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index a41e389c83a..d985b00571a 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -6844,7 +6844,7 @@ HttpTransact::handle_request_keep_alive_headers(State *s, HTTPVersion ver, HTTPH
     case KA_CONNECTION:
       ink_assert(s->current.server->keep_alive != HTTP_NO_KEEPALIVE);
       if (ver == HTTPVersion(1, 0)) {
-        if (s->current.request_to == PARENT_PROXY) {
+        if (s->current.request_to == PARENT_PROXY && s->parent_result.parent_is_proxy()) {
           heads->value_set(MIME_FIELD_PROXY_CONNECTION, MIME_LEN_PROXY_CONNECTION, "keep-alive", 10);
         } else {
           heads->value_set(MIME_FIELD_CONNECTION, MIME_LEN_CONNECTION, "keep-alive", 10);
@@ -6858,7 +6858,7 @@ HttpTransact::handle_request_keep_alive_headers(State *s, HTTPVersion ver, HTTPH
       if (s->current.server->keep_alive != HTTP_NO_KEEPALIVE || (ver == HTTPVersion(1, 1))) {
         /* Had keep-alive */
         s->current.server->keep_alive = HTTP_NO_KEEPALIVE;
-        if (s->current.request_to == PARENT_PROXY) {
+        if (s->current.request_to == PARENT_PROXY && s->parent_result.parent_is_proxy()) {
           heads->value_set(MIME_FIELD_PROXY_CONNECTION, MIME_LEN_PROXY_CONNECTION, "close", 5);
         } else {
           heads->value_set(MIME_FIELD_CONNECTION, MIME_LEN_CONNECTION, "close", 5);

From 62cc4d21e237dba564511d6545254aa6d88d8a94 Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Thu, 14 May 2020 16:46:13 -0700
Subject: [PATCH 3/6] HPACK: send back an error to the client when the index is
 invalid

---
 proxy/http2/HPACK.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/proxy/http2/HPACK.cc b/proxy/http2/HPACK.cc
index 2ebaaee907b..eefdef255a5 100644
--- a/proxy/http2/HPACK.cc
+++ b/proxy/http2/HPACK.cc
@@ -691,7 +691,9 @@ decode_literal_header_field(MIMEFieldWrapper &header, const uint8_t *buf_start,
 
   // Decode header field name
   if (index) {
-    indexing_table.get_header_field(index, header);
+    if (indexing_table.get_header_field(index, header) == HPACK_ERROR_COMPRESSION_ERROR) {
+      return HPACK_ERROR_COMPRESSION_ERROR;
+    }
   } else {
     char *name_str        = nullptr;
     uint64_t name_str_len = 0;

From 295188c51218d9fd6eb81cd251ff663de09058d7 Mon Sep 17 00:00:00 2001
From: Leif Hedstrom <zwoop@apache.org>
Date: Fri, 15 May 2020 14:29:14 -0600
Subject: [PATCH 4/6] clang-analyzer: eliminate identical conditions (#6790)

---
 proxy/http/HttpTransact.cc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index d985b00571a..6f95654f38c 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -5714,8 +5714,6 @@ HttpTransact::initialize_state_variables_from_request(State *s, HTTPHdr *obsolet
     HTTP_INCREMENT_DYN_STAT(http_push_requests_stat);
   } else if (s->method == HTTP_WKSIDX_OPTIONS) {
     HTTP_INCREMENT_DYN_STAT(http_options_requests_stat);
-  } else if (s->method == HTTP_WKSIDX_TRACE) {
-    HTTP_INCREMENT_DYN_STAT(http_trace_requests_stat);
   } else {
     HTTP_INCREMENT_DYN_STAT(http_extension_method_requests_stat);
     SET_VIA_STRING(VIA_DETAIL_TUNNEL, VIA_DETAIL_TUNNEL_METHOD);

From 7da02034f40e99ccea39dcca33051922ff695b85 Mon Sep 17 00:00:00 2001
From: Leif Hedstrom <zwoop@apache.org>
Date: Fri, 15 May 2020 15:06:59 -0600
Subject: [PATCH 5/6] clang-analyzer: code clone in get_proxy_protocol_addr
 (#6791)

* clang-analyzer: code clone in get_proxy_protocol_addr

* Per Bryan's suggestion, make the method const
---
 iocore/net/I_NetVConnection.h |  2 +-
 iocore/net/P_NetVConnection.h | 20 +++++++-------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/iocore/net/I_NetVConnection.h b/iocore/net/I_NetVConnection.h
index 1b35a1dbdf4..97df42ceb21 100644
--- a/iocore/net/I_NetVConnection.h
+++ b/iocore/net/I_NetVConnection.h
@@ -843,7 +843,7 @@ class NetVConnection : public VConnection, public PluginUserArgs<TS_USER_ARGS_VC
     return pp_info.proxy_protocol_version;
   }
 
-  sockaddr const *get_proxy_protocol_addr(const ProxyProtocolData);
+  sockaddr const *get_proxy_protocol_addr(const ProxyProtocolData) const;
 
   sockaddr const *
   get_proxy_protocol_src_addr()
diff --git a/iocore/net/P_NetVConnection.h b/iocore/net/P_NetVConnection.h
index 679cf0b10ed..ff3c91a4c95 100644
--- a/iocore/net/P_NetVConnection.h
+++ b/iocore/net/P_NetVConnection.h
@@ -87,20 +87,14 @@ NetVConnection::get_local_port()
 }
 
 inline sockaddr const *
-NetVConnection::get_proxy_protocol_addr(const ProxyProtocolData src_or_dst)
+NetVConnection::get_proxy_protocol_addr(const ProxyProtocolData src_or_dst) const
 {
-  if (src_or_dst == ProxyProtocolData::SRC) {
-    if ((pp_info.src_addr.isValid() && pp_info.src_addr.port() != 0) ||
-        (ats_is_ip4(&pp_info.src_addr) && INADDR_ANY != ats_ip4_addr_cast(&pp_info.src_addr)) // IPv4
-        || (ats_is_ip6(&pp_info.src_addr) && !IN6_IS_ADDR_UNSPECIFIED(&pp_info.src_addr.sin6.sin6_addr))) {
-      return &pp_info.src_addr.sa;
-    }
-  } else {
-    if ((pp_info.dst_addr.isValid() && pp_info.dst_addr.port() != 0) ||
-        (ats_is_ip4(&pp_info.dst_addr) && INADDR_ANY != ats_ip4_addr_cast(&pp_info.dst_addr)) // IPv4
-        || (ats_is_ip6(&pp_info.dst_addr) && !IN6_IS_ADDR_UNSPECIFIED(&pp_info.dst_addr.sin6.sin6_addr))) {
-      return &pp_info.dst_addr.sa;
-    }
+  const IpEndpoint &addr = (src_or_dst == ProxyProtocolData::SRC ? pp_info.src_addr : pp_info.dst_addr);
+
+  if ((addr.isValid() && addr.port() != 0) || (ats_is_ip4(&addr) && INADDR_ANY != ats_ip4_addr_cast(&addr)) // IPv4
+      || (ats_is_ip6(&addr) && !IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr))) {
+    return &addr.sa;
   }
+
   return nullptr;
 }

From 06554a318b57a577fcfb7eaf51108b3fc83895fd Mon Sep 17 00:00:00 2001
From: Saurav Kumar <2020saurav@gmail.com>
Date: Fri, 15 May 2020 14:19:24 -0700
Subject: [PATCH 6/6] Adding HTTP status 451 in apidefs as well (See PR#6789)

---
 include/ts/apidefs.h.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in
index 49f5a83cd0b..7d976012eb3 100644
--- a/include/ts/apidefs.h.in
+++ b/include/ts/apidefs.h.in
@@ -196,6 +196,7 @@ typedef enum {
   TS_HTTP_STATUS_PRECONDITION_REQUIRED           = 428,
   TS_HTTP_STATUS_TOO_MANY_REQUESTS               = 429,
   TS_HTTP_STATUS_REQUEST_HEADER_FIELDS_TOO_LARGE = 431,
+  TS_HTTP_STATUS_UNAVAILABLE_FOR_LEGAL_REASONS   = 451,
   TS_HTTP_STATUS_INTERNAL_SERVER_ERROR           = 500,
   TS_HTTP_STATUS_NOT_IMPLEMENTED                 = 501,
   TS_HTTP_STATUS_BAD_GATEWAY                     = 502,