mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-03 04:07:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

http3: reject header field values with invalid characters (#3967)

Browse source
This commit is contained in:
Marten Seemann 2023-07-17 18:56:29 -07:00 committed by GitHub
parent baee8184fc
commit c4b3d979bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
http3/request.go
View file

@ -22,6 +22,9 @@ func requestFromHeaders(headers []qpack.HeaderField) (*http.Request, error) {
if strings.ToLower(h.Name) != h.Name {
return nil, fmt.Errorf("header field is not lower-case: %s", h.Name)
}
if !httpguts.ValidHeaderFieldValue(h.Value) {
return nil, fmt.Errorf("invalid header field value for %s: %q", h.Name, h.Value)
}
switch h.Name {
case ":path":
path = h.Value

11
http3/request_test.go
View file

@ -55,6 +55,17 @@ var _ = Describe("Request", func() {
Expect(err).To(MatchError(`invalid header field name: "@"`))
})
It("rejects invalid field values", func() {
headers := []qpack.HeaderField{
{Name: ":path", Value: "/foo"},
{Name: ":authority", Value: "quic.clemente.io"},
{Name: ":method", Value: "GET"},
{Name: "content", Value: "\n"},
}
_, err := requestFromHeaders(headers)
Expect(err).To(MatchError(`invalid header field value for content: "\n"`))
})
It("parses path with leading double slashes", func() {
headers := []qpack.HeaderField{
{Name: ":path", Value: "//foo"},