From 5b51320dc5d389f14363ff14b0949e4a696b10a4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 16 Jun 2015 00:09:22 +0900
Subject: [PATCH] nghttpx: Validate :path on SPDY frontend

Unless method is CONNECT, we require that :path starts with "/",
except for OPTIONS method, which can take "*" as :path (server-wide
OPTIONS request).
---
 src/shrpx_spdy_upstream.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/shrpx_spdy_upstream.cc b/src/shrpx_spdy_upstream.cc
index c3431f87..28777e3d 100644
--- a/src/shrpx_spdy_upstream.cc
+++ b/src/shrpx_spdy_upstream.cc
@@ -215,6 +215,14 @@ void on_ctrl_recv_callback(spdylay_session *session, spdylay_frame_type type,
       return;
     }
 
+    // For other than CONNECT method, path must start with "/", except
+    // for OPTIONS method, which can take "*" as path.
+    if (!is_connect && path->value[0] != '/' &&
+        (method_token != HTTP_OPTIONS || path->value != "*")) {
+      upstream->rst_stream(downstream, SPDYLAY_PROTOCOL_ERROR);
+      return;
+    }
+
     downstream->set_request_method(method_token);
     if (is_connect) {
       downstream->set_request_http2_authority(path->value);