From 486dba8d8a3d214d7284b4965722288e74ec7ee2 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 25 Dec 2015 20:57:24 +0900
Subject: [PATCH] nghttpx: Strict validation for header fields given in
 configuration

---
 src/shrpx_config.cc      | 16 +++++++++++-----
 src/shrpx_config_test.cc |  9 +++++++--
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index e9deed04..2281d4ab 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -276,11 +276,9 @@ std::string read_passwd_from_file(const char *filename) {
 }
 
 std::pair<std::string, std::string> parse_header(const char *optarg) {
-  // We skip possible ":" at the start of optarg.
-  const auto *colon = strchr(optarg + 1, ':');
+  const auto *colon = strchr(optarg, ':');
 
-  // name = ":" is not allowed
-  if (colon == nullptr || (optarg[0] == ':' && colon == optarg + 1)) {
+  if (colon == nullptr || colon == optarg) {
     return {"", ""};
   }
 
@@ -292,6 +290,14 @@ std::pair<std::string, std::string> parse_header(const char *optarg) {
                           std::string(value, strlen(value)));
   util::inp_strlower(p.first);
 
+  if (!nghttp2_check_header_name(
+          reinterpret_cast<const uint8_t *>(p.first.c_str()), p.first.size()) ||
+      !nghttp2_check_header_value(
+          reinterpret_cast<const uint8_t *>(p.second.c_str()),
+          p.second.size())) {
+    return {"", ""};
+  }
+
   return p;
 }
 
@@ -1799,7 +1805,7 @@ int parse_config(const char *opt, const char *optarg,
   case SHRPX_OPTID_ADD_RESPONSE_HEADER: {
     auto p = parse_header(optarg);
     if (p.first.empty()) {
-      LOG(ERROR) << opt << ": header field name is empty: " << optarg;
+      LOG(ERROR) << opt << ": invalid header field: " << optarg;
       return -1;
     }
     if (optid == SHRPX_OPTID_ADD_REQUEST_HEADER) {
diff --git a/src/shrpx_config_test.cc b/src/shrpx_config_test.cc
index 5138dba4..8ac0cda0 100644
--- a/src/shrpx_config_test.cc
+++ b/src/shrpx_config_test.cc
@@ -46,8 +46,7 @@ void test_shrpx_config_parse_header(void) {
   CU_ASSERT("b" == p.second);
 
   p = parse_header(":a: b");
-  CU_ASSERT(":a" == p.first);
-  CU_ASSERT("b" == p.second);
+  CU_ASSERT(p.first.empty());
 
   p = parse_header("a: :b");
   CU_ASSERT("a" == p.first);
@@ -59,6 +58,12 @@ void test_shrpx_config_parse_header(void) {
   p = parse_header("alpha: bravo charlie");
   CU_ASSERT("alpha" == p.first);
   CU_ASSERT("bravo charlie" == p.second);
+
+  p = parse_header("a,: b");
+  CU_ASSERT(p.first.empty());
+
+  p = parse_header("a: b\x0a");
+  CU_ASSERT(p.first.empty());
 }
 
 void test_shrpx_config_parse_log_format(void) {