http3: reject responses that don't set the :status header (#3975)

2023-07-18 22:26:46 -07:00
parent 5d59c3059f
commit b6dbfc8c06
2 changed files with 11 additions and 0 deletions
--- a/http3/headers.go
+++ b/http3/headers.go
@@ -177,6 +177,9 @@ func responseFromHeaders(headerFields []qpack.HeaderField) (*http.Response, erro
 	if err != nil {
 		return nil, err
 	}
+	if hdr.Status == "" {
+		return nil, errors.New("missing status field")
+	}
 	rsp := &http.Response{
 		Proto:         "HTTP/3.0",
 		ProtoMajor:    3,
--- a/http3/headers_test.go
+++ b/http3/headers_test.go
@@ -317,6 +317,14 @@ var _ = Describe("Response", func() {
 		Expect(err).To(MatchError("received pseudo header :status after a regular header field"))
 	})

+	It("rejects response with no status field", func() {
+		headers := []qpack.HeaderField{
+			{Name: "content-length", Value: "42"},
+		}
+		_, err := responseFromHeaders(headers)
+		Expect(err).To(MatchError("missing status field"))
+	})
+
 	It("rejects invalid status codes", func() {
 		headers := []qpack.HeaderField{
 			{Name: ":status", Value: "foobar"},