http3: reject header field names with invalid characters (#3965)

2023-07-17 18:33:24 -07:00
parent 3edacebff0
commit baee8184fc
2 changed files with 16 additions and 0 deletions
--- a/http3/request.go
+++ b/http3/request.go
@@ -8,6 +8,8 @@ import (
 	"strconv"
 	"strings"

+	"golang.org/x/net/http/httpguts"
+
 	"github.com/quic-go/qpack"
 )

@@ -35,6 +37,9 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {
 			contentLengthStr = h.Value
 		default:
 			if !h.IsPseudo() {
+				if !httpguts.ValidHeaderFieldName(h.Name) {
+					return nil, fmt.Errorf("invalid header field name: %q", h.Name)
+				}
 				httpHeaders.Add(h.Name, h.Value)
 			}
 		}