gr1ffon/quic-go
1
0
Fork 0
forked from quic-go/quic-go
Code Pull Requests Activity

http3: reject header field names with invalid characters (#3965)

Browse Source
This commit is contained in:
Marten Seemann
2023-07-17 18:33:24 -07:00
committed by GitHub
parent 3edacebff0
commit baee8184fc
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
http3/request.go
View File

@@ -8,6 +8,8 @@ import (
"strconv" "strconv"
"strings" "strings"
"golang.org/x/net/http/httpguts"
"github.com/quic-go/qpack" "github.com/quic-go/qpack"
) )
@@ -35,6 +37,9 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {
contentLengthStr = h.Value contentLengthStr = h.Value
default: default:
if !h.IsPseudo() { if !h.IsPseudo() {
if !httpguts.ValidHeaderFieldName(h.Name) {
return nil, fmt.Errorf("invalid header field name: %q", h.Name)
}
httpHeaders.Add(h.Name, h.Value) httpHeaders.Add(h.Name, h.Value)
} }
} }

11
http3/request_test.go
View File

@@ -44,6 +44,17 @@ var _ = Describe("Request", func() {
Expect(err).To(MatchError("header field is not lower-case: Content-Length")) Expect(err).To(MatchError("header field is not lower-case: Content-Length"))
}) })
It("rejects invalid field names", func() {
headers := []qpack.HeaderField{
{Name: ":path", Value: "/foo"},
{Name: ":authority", Value: "quic.clemente.io"},
{Name: ":method", Value: "GET"},
{Name: "@", Value: "42"},
}
_, err := requestFromHeaders(headers)
Expect(err).To(MatchError(`invalid header field name: "@"`))
})
It("parses path with leading double slashes", func() { It("parses path with leading double slashes", func() {
headers := []qpack.HeaderField{ headers := []qpack.HeaderField{
{Name: ":path", Value: "//foo"}, {Name: ":path", Value: "//foo"},