Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid failing HTTP/2 requests with upgrade-insecure-requests #12799

Merged
merged 1 commit into from Sep 13, 2022
Merged

Avoid failing HTTP/2 requests with upgrade-insecure-requests #12799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 2 additions & 3 deletions codec-http2/src/main/java/io/netty/handler/codec/http2/HpackDecoder.java
View file
Open in desktop
Expand Up @@ -422,13 +422,12 @@ private static HeaderType validate(int streamId, CharSequence name,

@SuppressWarnings("deprecation") // We need to check for deprecated headers as well.
private static boolean isConnectionHeader(CharSequence name) {
// These are the known standard and non-standard connection related headers:
// These are the known standard connection related headers:
// - upgrade (7 chars)
// - connection (10 chars)
// - keep-alive (10 chars)
// - proxy-connection (16 chars)
// - transfer-encoding (17 chars)
// - upgrade-insecure-requests (25 chars)
//
// We scan for these based on the length, then double-check any matching name.
int len = name.length();
Expand All @@ -449,7 +448,7 @@ private static boolean isConnectionHeader(CharSequence name) {
if (len == 16) {
return contentEqualsIgnoreCase(name, HttpHeaderNames.PROXY_CONNECTION);
}
return len == 25 && contentEqualsIgnoreCase(name, HttpHeaderNames.UPGRADE_INSECURE_REQUESTS);
return false;
}

private static boolean contains(Http2Headers headers, CharSequence name) {
Expand Down
3 changes: 0 additions & 3 deletions codec-http2/src/test/java/io/netty/handler/codec/http2/DefaultHttp2HeadersDecoderTest.java
View file
Open in desktop
Expand Up @@ -167,9 +167,6 @@ public void decodingConnectionRelatedHeadersMustFailValidation() throws Exceptio

// Non-standard connection related headers:
verifyValidationFails(decoder, encode(b(":method"), b("GET"), b("proxy-connection"), b("keep-alive")));
verifyValidationFails(decoder, encode(b(":method"), b("GET"), b("upgrade-insecure-requests"), b("1")));
verifyValidationFails(decoder, encode(b(":method"), b("GET"),
b("content-security-policy"), b("upgrade-insecure-requests"), b("upgrade-insecure-requests"), b("1")));

// Only "trailers" is allowed for the TE header:
verifyValidationFails(decoder, encode(b(":method"), b("GET"), b("te"), b("compress")));
Expand Down