Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move validation of connection headers in HTTP/2 back to HpackDecoder #12975

Merged
merged 2 commits into from Nov 9, 2022
Merged

Move validation of connection headers in HTTP/2 back to HpackDecoder #12975

merged 2 commits into from Nov 9, 2022

Conversation

idelpivnitskiy
Copy link
Member

@idelpivnitskiy idelpivnitskiy commented Nov 8, 2022
edited

Motivation:

#12755 added validation for presence of connection-related headers while HpackDecoder decodes the incoming frame. Then #12760 moved this validation from HpackDecoder to DefaultHttp2Headers. As the result, existing use-case that could use DefaultHttp2Headers for HTTP/2 and HTTP/1.X broke when users add any of the mentioned prohibited headers. The HTTP/1.X to HTTP/2 translation logic usually has sanitization process that removes connection-related headers. It's enough to run this validation only for incoming messages and we should preserve backward compatibility for 4.1.

Modifications:

  • Move isConnectionHeader and te validations from DefaultHttp2Headers back to HpackDecoder;
  • Add tests to verify HpackDecoder fails incoming headers as expected;
  • Add tests to verify mentioned headers can be added to DefaultHttp2Headers;

Result:

Backward compatibility is preserved, while validation for connection-related headers is done in HpackDecoder.

@idelpivnitskiy
Move validation of connection headers in HTTP/2 back to HpackDecoder
6cbc84e 
Motivation:

netty#12755 added validation for presence of connection-related headers while
`HpackDecoder` decodes the incoming frame. Then netty#12760 moved this
validation from `HpackDecoder` to `DefaultHttp2Headers`. As the result,
existing use-case that could use `DefaultHttp2Headers` for HTTP/2 and
HTTP/1.X broke when users add  any of the mentioned prohibited headers.
The HTTP/1.X to HTTP/2 translation logic usually has sanitization
process that removes connection-related headers. It's enough to run this
validation only for incoming messages and we should preserve backward
compatibility for 4.1.

Modifications:

- Move `isConnectionHeader` and `te` validations from `DefaultHttp2Headers`
back to `HpackDecoder`;
- Add tests to verify `HpackDecoder` fails incoming headers as expected;
- Add tests to verify mentioned headers can be added to
`DefaultHttp2Headers`;

Result:

Backward compatibility is preserved, while validation for
connection-related headers is done in `HpackDecoder`.
chrisvest
chrisvest approved these changes Nov 8, 2022
View reviewed changes
Copy link
Contributor

@chrisvest chrisvest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise looks good. Just keep a validateValue override around that delegates to the superclass.

@normanmaurer normanmaurer merged commit 7127e60 into netty:4.1 Nov 9, 2022
@normanmaurer
Copy link
Member

@idelpivnitskiy can you please also do a PR against main ?

@normanmaurer normanmaurer added this to the 4.1.85.Final milestone Nov 9, 2022
@idelpivnitskiy idelpivnitskiy deleted the h2-connection-headers-validation branch November 9, 2022 16:41
@idelpivnitskiy idelpivnitskiy mentioned this pull request Nov 9, 2022
Merged
idelpivnitskiy added a commit to idelpivnitskiy/servicetalk that referenced this pull request Nov 9, 2022
@idelpivnitskiy
Update Netty 4.1.82 -> 4.1.85
4f6a720 
With the recent Netty fix netty/netty#12975
we can test HTTP/2 use-cases with both variants of the header factory.
@idelpivnitskiy idelpivnitskiy mentioned this pull request Nov 9, 2022
Merged
idelpivnitskiy added a commit to idelpivnitskiy/servicetalk that referenced this pull request Nov 10, 2022
@idelpivnitskiy
Update Netty 4.1.82 -> 4.1.85
4a573f8 
With the recent Netty fix netty/netty#12975 we
can test HTTP/2 use-cases with both variants of the header factory.
idelpivnitskiy added a commit to apple/servicetalk that referenced this pull request Nov 10, 2022
@idelpivnitskiy
Update Netty 4.1.82 -> 4.1.85 (#2415)
4ebd767 
With the recent Netty fix netty/netty#12975 we
can test HTTP/2 use-cases with both variants of the header factory.
@violetagg violetagg mentioned this pull request Feb 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisvest chrisvest chrisvest approved these changes

@normanmaurer normanmaurer normanmaurer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.1.85.Final
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@idelpivnitskiy @normanmaurer @chrisvest