From 3855168876a5f656462923a1abc4dee884bf3a72 Mon Sep 17 00:00:00 2001
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 4 Sep 2024 15:52:51 +0900
Subject: [PATCH] return 425 in `addr` if early-data header is set

---
 share/h2o/mruby/acl.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/share/h2o/mruby/acl.rb b/share/h2o/mruby/acl.rb
index 7a7ba53ef..90d606283 100644
--- a/share/h2o/mruby/acl.rb
+++ b/share/h2o/mruby/acl.rb
@@ -41,6 +41,9 @@ module H2O
 
     class ACLHandler
 
+      class TooEarlyError < StandardError
+      end
+
       class ConditionalHandler
         def initialize(handler, cond)
           @handler = handler
@@ -63,9 +66,13 @@ module H2O
       end
 
       def call(env)
-        @acl.each {|ac|
-          return ac.call(env) if ac.satisfy?(env)
-        }
+        begin
+          @acl.each {|ac|
+            return ac.call(env) if ac.satisfy?(env)
+          }
+        rescue TooEarlyError => e
+          return [425, {}, []]
+        end
         return [399, {}, []]
       end
 
@@ -96,6 +103,7 @@ module H2O
         end
 
         def addr(forwarded=true)
+          raise TooEarlyError if @env['HTTP_EARLY_DATA']
           addr = @env['REMOTE_ADDR']
           if forwarded && (xff = @env['HTTP_X_FORWARDED_FOR'])
             xaddr = xff.split(",")[0]