[libsoup] http2: make sure the request doesn't include any invalid header
- From: Carlos Garcia Campos <carlosgc src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libsoup] http2: make sure the request doesn't include any invalid header
- Date: Thu, 20 May 2021 09:14:01 +0000 (UTC)
commit b3912182960aab27df001889febf7093a1b587e8
Author: Carlos Garcia Campos <cgarcia igalia com>
Date: Thu May 20 11:12:18 2021 +0200
http2: make sure the request doesn't include any invalid header
libsoup/http2/soup-client-message-io-http2.c | 21 +++++++++++++++++++--
tests/http2-test.c | 27 +++++++++++++++++++++++++++
2 files changed, 46 insertions(+), 2 deletions(-)
---
diff --git a/libsoup/http2/soup-client-message-io-http2.c b/libsoup/http2/soup-client-message-io-http2.c
index 0b09ee14..765be4b8 100644
--- a/libsoup/http2/soup-client-message-io-http2.c
+++ b/libsoup/http2/soup-client-message-io-http2.c
@@ -783,6 +783,23 @@ soup_http2_message_data_free (SoupHTTP2MessageData *data)
g_free (data);
}
+static gboolean
+request_header_is_valid (const char *name)
+{
+ static GHashTable *invalid_request_headers = NULL;
+
+ if (!invalid_request_headers) {
+ invalid_request_headers = g_hash_table_new (soup_str_case_hash, soup_str_case_equal);
+ g_hash_table_add (invalid_request_headers, "Connection");
+ g_hash_table_add (invalid_request_headers, "Keep-Alive");
+ g_hash_table_add (invalid_request_headers, "Proxy-Connection");
+ g_hash_table_add (invalid_request_headers, "Transfer-Encoding");
+ g_hash_table_add (invalid_request_headers, "Upgrade");
+ }
+
+ return !g_hash_table_contains (invalid_request_headers, name);
+}
+
#define MAKE_NV(NAME, VALUE, VALUELEN) \
{ \
(uint8_t *)NAME, (uint8_t *)VALUE, strlen (NAME), VALUELEN, \
@@ -833,9 +850,9 @@ send_message_request (SoupMessage *msg,
const char *name, *value;
soup_message_headers_iter_init (&iter, soup_message_get_request_headers (msg));
while (soup_message_headers_iter_next (&iter, &name, &value)) {
- /* Forbidden headers. TODO: Avoid setting this elsewhere? */
- if (g_ascii_strcasecmp (name, "Transfer-Encoding") == 0)
+ if (!request_header_is_valid (name))
continue;
+
const nghttp2_nv nv = MAKE_NV2 (name, value);
g_array_append_val (headers, nv);
}
diff --git a/tests/http2-test.c b/tests/http2-test.c
index d5c75c43..c12f86a0 100644
--- a/tests/http2-test.c
+++ b/tests/http2-test.c
@@ -549,6 +549,29 @@ do_preconnect_test (Test *test, gconstpointer data)
g_main_context_unref (async_context);
}
+static void
+do_invalid_header_test (Test *test, gconstpointer data)
+{
+ static const char *invalid_headers[] = { "Connection", "Keep-Alive", "Proxy-Connection",
"Transfer-Encoding", "Upgrade" };
+ guint i;
+
+ for (i = 0; i < G_N_ELEMENTS (invalid_headers); i++) {
+ SoupMessage *msg;
+ SoupMessageHeaders *request_headers;
+ GBytes *body;
+ GError *error = NULL;
+
+ msg = soup_message_new (SOUP_METHOD_GET, "https://127.0.0.1:5000/";);
+ request_headers = soup_message_get_request_headers (msg);
+ soup_message_headers_append (request_headers, invalid_headers[i], "Value");
+ body = soup_test_session_async_send (test->session, msg, NULL, &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (g_bytes_get_data (body, NULL), ==, "Hello world");
+ g_bytes_unref (body);
+ g_object_unref (msg);
+ }
+}
+
int
main (int argc, char **argv)
{
@@ -627,6 +650,10 @@ main (int argc, char **argv)
setup_session,
do_cancellation_test,
teardown_session);
+ g_test_add ("/http2/invalid-header", Test, NULL,
+ setup_session,
+ do_invalid_header_test,
+ teardown_session);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
