http2: Harden header validation for curl_pushheader_byname
Since we do prefix match using given header by application code against header name pair in format "NAME:VALUE", and VALUE part can contain ":", we have to careful about existence of ":" in header parameter. ":" should be allowed to match HTTP/2 pseudo-header field, and other use of ":" in header must be treated as error, and curl_pushheader_byname should return NULL. This commit implements this behaviour.
This commit is contained in:
parent
77044b53f7
commit
ddb106d7f6
11
lib/http2.c
11
lib/http2.c
@ -238,9 +238,14 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num)
|
|||||||
*/
|
*/
|
||||||
char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header)
|
char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header)
|
||||||
{
|
{
|
||||||
/* Verify that we got a good easy handle in the push header struct, mostly to
|
/* Verify that we got a good easy handle in the push header struct,
|
||||||
detect rubbish input fast(er). */
|
mostly to detect rubbish input fast(er). Also empty header name
|
||||||
if(!h || !GOOD_EASY_HANDLE(h->data) || !header)
|
is just a rubbish too. We have to allow ":" at the beginning of
|
||||||
|
the header, but header == ":" must be rejected. If we have ':' in
|
||||||
|
the middle of header, it could be matched in middle of the value,
|
||||||
|
this is because we do prefix match.*/
|
||||||
|
if(!h || !GOOD_EASY_HANDLE(h->data) || !header || !header[0] ||
|
||||||
|
Curl_raw_equal(header, ":") || strchr(header + 1, ':'))
|
||||||
return NULL;
|
return NULL;
|
||||||
else {
|
else {
|
||||||
struct HTTP *stream = h->data->req.protop;
|
struct HTTP *stream = h->data->req.protop;
|
||||||
|
Loading…
Reference in New Issue
Block a user