From f75ba41afcb90c5395cc9dfcdf1d0d44ecbe18d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20Grubbstr=C3=B6m=20=28Grubba=29?=
 <grubba@grubba.org>
Date: Wed, 7 Aug 2019 15:32:21 +0200
Subject: [PATCH] Protocols.HTTP [do_async_proxied_method]: Check whether
 CONNECT failed.

Do not attempt to start a TLS connection over a socket where
the proxy has returned a failure code.

Fixes [PIKE-198].
---
 lib/modules/Protocols.pmod/HTTP.pmod/module.pmod | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/modules/Protocols.pmod/HTTP.pmod/module.pmod b/lib/modules/Protocols.pmod/HTTP.pmod/module.pmod
index 2968e68ae2..be6b7eea19 100644
--- a/lib/modules/Protocols.pmod/HTTP.pmod/module.pmod
+++ b/lib/modules/Protocols.pmod/HTTP.pmod/module.pmod
@@ -112,7 +112,8 @@ constant DAV_STORAGE_FULL	= 507; // RFC 2518 10.6: Insufficient Storage
       m_delete(proxy_headers, "authorization");	// Keep the proxy in the dark.
       con = do_method("CONNECT", proxy, 0, proxy_headers);
       con->data(0);
-      if (con->status/100 > 2) {
+      if (con->status >= 300) {
+	// Proxy did not like us or failed to connect to the remote.
 	return con;
       }
       con->headers["connect"] = "keep-alive";
@@ -382,6 +383,13 @@ protected void https_proxy_connect_ok(Protocols.HTTP.Query con,
 				      mapping(string:string) request_headers,
 				      string data)
 {
+  if (con->status >= 300) {
+    // Proxy did not like us or failed to connect to the remote.
+    https_proxy_connect_fail(con, orig_cb_info, url, method,
+			     query_variables, request_headers,
+			     data);
+    return;
+  }
   con->set_callbacks(@orig_cb_info);
 
   con->headers["connect"] = "keep-alive";
-- 
GitLab