Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject HTTP/2 header values with invalid characters #12760

Merged
merged 15 commits into from Sep 21, 2022
Merged

Reject HTTP/2 header values with invalid characters #12760

merged 15 commits into from Sep 21, 2022

Commits on Sep 20, 2022

  1. Validate HTTP/2 header values 

    Motivation:
In https://datatracker.ietf.org/doc/html/rfc7540#section-10.3 it says that only certain characters are valid in a header value:

> Any request or response that contains a character not permitted
> in a header field value MUST be treated as malformed (Section 8.1.2.6).
> Valid characters are defined by the "field-content" ABNF rule in
> Section 3.2 of [RFC7230].

Modification:
Add a header value validation step to HpackDecoder.

Result:
Header values are now validated against the Section 10.3, etc. rules.
    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    7804234 View commit details
    Browse the repository at this point in the history

  2. Specialize HPACK header validation for AsciiString and CharSequence

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    ba309af View commit details
    Browse the repository at this point in the history

  3. Address some comments from netty#12755

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    7a64b63 View commit details
    Browse the repository at this point in the history

  4. Fix HTTP/2 header value validation bug caused by signed bytes

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    1e50b06 View commit details
    Browse the repository at this point in the history

  5. Include the offending byte and index when HTTP/2 header value validat… 

    …ion fails
    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    05fccc2 View commit details
    Browse the repository at this point in the history

  6. Make header value validation a separate toggle

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    6167cb2 View commit details
    Browse the repository at this point in the history

  7. Fix backwards compatibility

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    0cd6d05 View commit details
    Browse the repository at this point in the history

  8. Address some small review comments

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    392e6e0 View commit details
    Browse the repository at this point in the history

  9. Specialize validation in HpackDecoder since it only produce AsciiStri… 

    …ng header names and values
    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    cdf3258 View commit details
    Browse the repository at this point in the history

  10. Address some more comments

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    fcd4f4f View commit details
    Browse the repository at this point in the history

  11. Make illegal http header char tests parameterized

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    9cc54d6 View commit details
    Browse the repository at this point in the history

  12. Consolidate HTTP header value and name validation

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    23620a6 View commit details
    Browse the repository at this point in the history

  13. Small javadoc update

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    bd406d3 View commit details
    Browse the repository at this point in the history

  14. Address PR review comments

    @chrisvest
    chrisvest committed Sep 20, 2022
    Configuration menu
    Copy the full SHA
    73d119f View commit details
    Browse the repository at this point in the history

Commits on Sep 21, 2022

  1. Address nit

    @chrisvest
    chrisvest committed Sep 21, 2022
    Configuration menu
    Copy the full SHA
    e45ea6a View commit details
    Browse the repository at this point in the history