moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

http2: relax verification of :authority in push promise requests 

If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.

Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html

Closes #4365
This commit is contained in:
Christoph M. Becker 2019-09-16 15:32:58 +02:00 committed by Daniel Stenberg
parent 9bc44ff64d
commit 7c596f5dea
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/http2.c
View File

@ -967,7 +967,9 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
if(!check)
/* no memory */
return NGHTTP2_ERR_CALLBACK_FAILURE;
if(!Curl_strcasecompare(check, (const char *)value)) {
if(!Curl_strcasecompare(check, (const char *)value) &&
((conn->remote_port != conn->given->defport) ||
!Curl_strcasecompare(conn->host.name, (const char *)value))) {
/* This is push is not for the same authority that was asked for in
* the URL. RFC 7540 section 8.2 says: "A client MUST treat a
* PUSH_PROMISE for which the server is not authoritative as a stream