From b6dbfc8c0644fa1d44b45393e089efcde175af99 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Tue, 18 Jul 2023 22:26:46 -0700
Subject: [PATCH] http3: reject responses that don't set the :status header
 (#3975)

---
 http3/headers.go      | 3 +++
 http3/headers_test.go | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/http3/headers.go b/http3/headers.go
index e9f2df70..ec3fc0dd 100644
--- a/http3/headers.go
+++ b/http3/headers.go
@@ -177,6 +177,9 @@ func responseFromHeaders(headerFields []qpack.HeaderField) (*http.Response, erro
 	if err != nil {
 		return nil, err
 	}
+	if hdr.Status == "" {
+		return nil, errors.New("missing status field")
+	}
 	rsp := &http.Response{
 		Proto:         "HTTP/3.0",
 		ProtoMajor:    3,
diff --git a/http3/headers_test.go b/http3/headers_test.go
index 7fcf675d..72233680 100644
--- a/http3/headers_test.go
+++ b/http3/headers_test.go
@@ -317,6 +317,14 @@ var _ = Describe("Response", func() {
 		Expect(err).To(MatchError("received pseudo header :status after a regular header field"))
 	})
 
+	It("rejects response with no status field", func() {
+		headers := []qpack.HeaderField{
+			{Name: "content-length", Value: "42"},
+		}
+		_, err := responseFromHeaders(headers)
+		Expect(err).To(MatchError("missing status field"))
+	})
+
 	It("rejects invalid status codes", func() {
 		headers := []qpack.HeaderField{
 			{Name: ":status", Value: "foobar"},