validate HTTP headers and request scheme in RoundTripper

2016-12-22 14:13:21 +07:00
parent 1061bd4492
commit feec325083
2 changed files with 73 additions and 28 deletions
--- a/h2quic/roundtrip.go
+++ b/h2quic/roundtrip.go
@@ -2,8 +2,11 @@ package h2quic

 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"sync"
+
+	"golang.org/x/net/lex/httplex"
 )

 type h2quicClient interface {
@@ -44,6 +47,22 @@ func (r *QuicRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
 		return nil, errors.New("quic: nil Request.Header")
 	}

+	if req.URL.Scheme == "https" {
+		for k, vv := range req.Header {
+			if !httplex.ValidHeaderFieldName(k) {
+				return nil, fmt.Errorf("quic: invalid http header field name %q", k)
+			}
+			for _, v := range vv {
+				if !httplex.ValidHeaderFieldValue(v) {
+					return nil, fmt.Errorf("quic: invalid http header field value %q for key %v", v, k)
+				}
+			}
+		}
+	} else {
+		closeRequestBody(req)
+		return nil, fmt.Errorf("quic: unsupported protocol scheme: %s", req.URL.Scheme)
+	}
+
 	hostname := authorityAddr("https", hostnameFromRequest(req))
 	client, err := r.getClient(hostname)
 	if err != nil {