mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-03 20:27:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

http3: reject header field that contain non-lowercase characters (#3964)

Browse source
This commit is contained in:
Marten Seemann 2023-07-17 18:16:01 -07:00 committed by GitHub
parent 8ac22a9483
commit 3edacebff0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
http3/request.go
View file

@ -2,6 +2,7 @@ package http3
import ( import (
"errors" "errors"
"fmt"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@ -15,6 +16,10 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {
httpHeaders := http.Header{} httpHeaders := http.Header{}
for _, h := range headers { for _, h := range headers {
// field names need to be lowercase, see section 4.2 of RFC 9114
if strings.ToLower(h.Name) != h.Name {
return nil, fmt.Errorf("header field is not lower-case: %s", h.Name)
}
switch h.Name { switch h.Name {
case ":path": case ":path":
path = h.Value path = h.Value

11
http3/request_test.go
View file

@ -33,6 +33,17 @@ var _ = Describe("Request", func() {
Expect(req.RequestURI).To(Equal("/foo")) Expect(req.RequestURI).To(Equal("/foo"))
}) })
It("rejects upper-case fields", func() {
headers := []qpack.HeaderField{
{Name: ":path", Value: "/foo"},
{Name: ":authority", Value: "quic.clemente.io"},
{Name: ":method", Value: "GET"},
{Name: "Content-Length", Value: "42"},
}
_, err := requestFromHeaders(headers)
Expect(err).To(MatchError("header field is not lower-case: Content-Length"))
})
It("parses path with leading double slashes", func() { It("parses path with leading double slashes", func() {
headers := []qpack.HeaderField{ headers := []qpack.HeaderField{
{Name: ":path", Value: "//foo"}, {Name: ":path", Value: "//foo"},