From c4b3d979bd8079cb4e923576306ef2287bb02f23 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Mon, 17 Jul 2023 18:56:29 -0700
Subject: [PATCH] http3: reject header field values with invalid characters
 (#3967)

---
 http3/request.go      |  3 +++
 http3/request_test.go | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/http3/request.go b/http3/request.go
index 9cb06db2e..ce85405c4 100644
--- a/http3/request.go
+++ b/http3/request.go
@@ -22,6 +22,9 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {
 		if strings.ToLower(h.Name) != h.Name {
 			return nil, fmt.Errorf("header field is not lower-case: %s", h.Name)
 		}
+		if !httpguts.ValidHeaderFieldValue(h.Value) {
+			return nil, fmt.Errorf("invalid header field value for %s: %q", h.Name, h.Value)
+		}
 		switch h.Name {
 		case ":path":
 			path = h.Value
diff --git a/http3/request_test.go b/http3/request_test.go
index 81c932933..57b348c22 100644
--- a/http3/request_test.go
+++ b/http3/request_test.go
@@ -55,6 +55,17 @@ var _ = Describe("Request", func() {
 		Expect(err).To(MatchError(`invalid header field name: "@"`))
 	})
 
+	It("rejects invalid field values", func() {
+		headers := []qpack.HeaderField{
+			{Name: ":path", Value: "/foo"},
+			{Name: ":authority", Value: "quic.clemente.io"},
+			{Name: ":method", Value: "GET"},
+			{Name: "content", Value: "\n"},
+		}
+		_, err := requestFromHeaders(headers)
+		Expect(err).To(MatchError(`invalid header field value for content: "\n"`))
+	})
+
 	It("parses path with leading double slashes", func() {
 		headers := []qpack.HeaderField{
 			{Name: ":path", Value: "//foo"},