Merge pull request #27 from Volham22/reject-uppercase-headers

fix(http2): Reject uppercase headers
Volham22 · Apr 5, 2024 · b2a854e · b2a854e
2 parents 7288876 + 84bd79e
commit b2a854e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/src/connection/http2.rs b/src/connection/http2.rs
@@ -660,7 +660,7 @@ pub async fn do_connection_loop(
  // RFC 9113 6.1: `If a DATA frame is received whose Stream
  // Identifier field is 0x00, the recipient MUST respond with a
  // connection error`
- if frame.stream_identifier == 0 {
+ if frame.stream_identifier == 0 && frame.length > 0 {
  return Err(ConnectionError::DataOnStreamZero);
  }
 

diff --git a/src/http2/frames/frame.rs b/src/http2/frames/frame.rs
@@ -18,6 +18,8 @@ pub enum FrameError {
  WindowUpdateTooBig,
  #[error("Frame is too big ({actual} > {max_frame_size})")]
  FrameTooBig { actual: u32, max_frame_size: u32 },
+ #[error("Header frame contains uppercase header")]
+ UppercaseHeader,
  // #[error("Continuation frame without header frame")]
  // ContinuationWithoutHeader,
  // #[error("Continuation frame but END_HEADERS set")]

diff --git a/src/http2/frames/headers.rs b/src/http2/frames/headers.rs
@@ -66,7 +66,16 @@ impl Headers {
  headers: hds
  .into_iter()
  .map(|(k, v)| (Bytes::from(k), Bytes::from(v)))
- .collect(),
+ .map(|(k, v)| {
+ if k.iter()
+ .all(|c| c.is_ascii_uppercase() || c.is_ascii_punctuation())
+ {
+ Err(FrameError::UppercaseHeader)
+ } else {
+ Ok((k, v))
+ }
+ })
+ .collect::<Result<Vec<(Bytes, Bytes)>, FrameError>>()?,
  end_stream: Self::is_end_stream(flags),
  }),
  Err(err) => {