Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2: report invalid for spaced header names #33161

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/internal/http2/compat.js
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ let statusConnectionHeaderWarned = false;
// close as possible to the current require('http') API

const assertValidHeader = hideStackFrames((name, value) => {
if (name === '' || typeof name !== 'string') {
if (name === '' || typeof name !== 'string' || name.indexOf(' ') >= 0) {
throw new ERR_INVALID_HTTP_TOKEN('Header name', name);
}
ronag marked this conversation as resolved.
Show resolved Hide resolved
if (isPseudoHeader(name)) {
Expand Down
6 changes: 5 additions & 1 deletion lib/internal/http2/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ const {
ERR_HTTP2_INVALID_CONNECTION_HEADERS,
ERR_HTTP2_INVALID_PSEUDOHEADER,
ERR_HTTP2_INVALID_SETTING_VALUE,
ERR_INVALID_ARG_TYPE
ERR_INVALID_ARG_TYPE,
ERR_INVALID_HTTP_TOKEN
},
addCodeToName,
hideStackFrames
Expand Down Expand Up @@ -490,6 +491,9 @@ function mapToHeaders(map,
count++;
continue;
}
if (key.indexOf(' ') >= 0) {
throw new ERR_INVALID_HTTP_TOKEN('Header name', key);
}
if (isIllegalConnectionSpecificHeader(key, value)) {
throw new ERR_HTTP2_INVALID_CONNECTION_HEADERS(key);
}
Expand Down
65 changes: 65 additions & 0 deletions test/parallel/test-http2-invalidheaderfield.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
'use strict';
const common = require('../common');
if (!common.hasCrypto) { common.skip('missing crypto'); }

// Check for:
// Spaced headers
// Psuedo headers
// Capitalized headers

const http2 = require('http2');
const { throws, strictEqual } = require('assert');

const server = http2.createServer(common.mustCall((req, res) => {
throws(() => {
res.setHeader(':path', '/');
}, {
code: 'ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED'
});
throws(() => {
res.setHeader('t est', 123);
rexagod marked this conversation as resolved.
Show resolved Hide resolved
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.setHeader('TEST', 123);
res.setHeader('test_', 123);
res.setHeader(' test', 123);
res.end();
}));

server.listen(0, common.mustCall(() => {
const session1 = http2.connect(`http://localhost:${server.address().port}`);
session1.request({ 'test_': 123, 'TEST': 123 })
.on('end', common.mustCall(() => {
session1.close();
server.close();
}));

const session2 = http2.connect(`http://localhost:${server.address().port}`);
session2.on('error', common.mustCall((e) => {
strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
}));
throws(() => {
session2.request({ 't est': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});

const session3 = http2.connect(`http://localhost:${server.address().port}`);
session3.on('error', common.mustCall((e) => {
strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
}));
throws(() => {
session3.request({ ' test': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});

const session4 = http2.connect(`http://localhost:${server.address().port}`);
throws(() => {
session4.request({ ':test': 123 });
}, {
code: 'ERR_HTTP2_INVALID_PSEUDOHEADER'
});
session4.close();
}));
20 changes: 13 additions & 7 deletions test/parallel/test-http2-invalidheaderfields-client.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,11 @@ const server1 = http2.createServer();
server1.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server1.address().port}`);
// Check for req headers
session.request({ 'no underscore': 123 });
assert.throws(() => {
session.request({ 'no underscore': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
session.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
server1.close();
Expand All @@ -18,15 +22,18 @@ server1.listen(0, common.mustCall(() => {

const server2 = http2.createServer(common.mustCall((req, res) => {
// check for setHeader
res.setHeader('x y z', 123);
assert.throws(() => {
res.setHeader('x y z', 123);
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.end();
}));

server2.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server2.address().port}`);
const req = session.request();
req.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
req.on('end', common.mustCall(() => {
session.close();
server2.close();
}));
Expand All @@ -39,16 +46,15 @@ const server3 = http2.createServer(common.mustCall((req, res) => {
'an invalid header': 123
});
}), {
code: 'ERR_HTTP2_INVALID_STREAM'
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.end();
}));

server3.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server3.address().port}`);
const req = session.request();
req.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
req.on('end', common.mustCall(() => {
server3.close();
session.close();
}));
Expand Down