1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-08 12:28:06 -05:00

http2: Harden header validation for curl_pushheader_byname

Since we do prefix match using given header by application code
against header name pair in format "NAME:VALUE", and VALUE part can
contain ":", we have to careful about existence of ":" in header
parameter.  ":" should be allowed to match HTTP/2 pseudo-header field,
and other use of ":" in header must be treated as error, and
curl_pushheader_byname should return NULL.  This commit implements
this behaviour.
This commit is contained in:
Tatsuhiro Tsujikawa 2015-06-06 18:07:00 +09:00 committed by Daniel Stenberg
parent 77044b53f7
commit ddb106d7f6

View File

@ -238,9 +238,14 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num)
*/ */
char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header) char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header)
{ {
/* Verify that we got a good easy handle in the push header struct, mostly to /* Verify that we got a good easy handle in the push header struct,
detect rubbish input fast(er). */ mostly to detect rubbish input fast(er). Also empty header name
if(!h || !GOOD_EASY_HANDLE(h->data) || !header) is just a rubbish too. We have to allow ":" at the beginning of
the header, but header == ":" must be rejected. If we have ':' in
the middle of header, it could be matched in middle of the value,
this is because we do prefix match.*/
if(!h || !GOOD_EASY_HANDLE(h->data) || !header || !header[0] ||
Curl_raw_equal(header, ":") || strchr(header + 1, ':'))
return NULL; return NULL;
else { else {
struct HTTP *stream = h->data->req.protop; struct HTTP *stream = h->data->req.protop;