mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-04 20:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

http3: validate Host header before sending (#3948)

Browse source
This commit is contained in:
Marten Seemann 2023-07-11 23:27:24 -07:00 committed by GitHub
parent 0fe21c7d6f
commit fcf8d4b3ff
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
http3/request_writer.go
View file

@ -2,6 +2,7 @@ package http3
import ( import (
"bytes" "bytes"
"errors"
"fmt" "fmt"
"io" "io"
"net" "net"
@ -81,6 +82,9 @@ func (w *requestWriter) encodeHeaders(req *http.Request, addGzipHeader bool, tra
if err != nil { if err != nil {
return err return err
} }
if !httpguts.ValidHostHeader(host) {
return errors.New("http3: invalid Host header")
}
// http.NewRequest sets this field to HTTP/1.1 // http.NewRequest sets this field to HTTP/1.1
isExtendedConnect := req.Method == http.MethodConnect && req.Proto != "" && req.Proto != "HTTP/1.1" isExtendedConnect := req.Method == http.MethodConnect && req.Proto != "" && req.Proto != "HTTP/1.1"

7
http3/request_writer_test.go
View file

@ -59,6 +59,13 @@ var _ = Describe("Request Writer", func() {
Expect(headerFields).ToNot(HaveKey("accept-encoding")) Expect(headerFields).ToNot(HaveKey("accept-encoding"))
}) })
It("rejects invalid host headers", func() {
req, err := http.NewRequest(http.MethodGet, "https://quic.clemente.io/index.html?foo=bar", nil)
Expect(err).ToNot(HaveOccurred())
req.Host = "foo@bar" // @ is invalid
Expect(rw.WriteRequestHeader(str, req, false)).To(MatchError("http3: invalid Host header"))
})
It("sends cookies", func() { It("sends cookies", func() {
req, err := http.NewRequest(http.MethodGet, "https://quic.clemente.io/", nil) req, err := http.NewRequest(http.MethodGet, "https://quic.clemente.io/", nil)
Expect(err).ToNot(HaveOccurred()) Expect(err).ToNot(HaveOccurred())