Commit Graph

31 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa a26bad3324 Do not verify host field specific characters for response field
Do not verify host field specific characters for response field
section because host field in response field section is undefined.
2022-06-11 17:08:51 +09:00
Tatsuhiro Tsujikawa 31b5b78dc1 Use switch to avoid many if-else-if 2021-09-04 17:35:33 +09:00
Tatsuhiro Tsujikawa 977b0ceee4 make clang-format 2021-09-04 17:27:43 +09:00
Michael Kaufmann 83c063346d Stricter checks for pseudo-headers :method and :path
Check the allowed characters for ":method" (see RFC 7230, section 3.2.6) and
":path". For ":path", the space and tab characters are now forbidden, but
other special characters are still allowed for compatibility reasons.

Update genvchartbl.py so that it generates the same table as in the code.

Fixes #1611
2021-08-31 21:47:35 +02:00
Tatsuhiro Tsujikawa 77f5487a58 Add nghttp2_check_authority as public API 2019-11-02 00:33:59 +09:00
Tatsuhiro Tsujikawa afefbda518 Ignore content-length in 200 response to CONNECT request 2019-05-17 23:00:32 +09:00
Tatsuhiro Tsujikawa 334c439ce0 Fix bug that regular CONNECT does not work 2018-10-04 12:02:46 +09:00
Tatsuhiro Tsujikawa 6700626c30 Rule out content-length in the successful response to CONNECT 2018-10-03 23:24:32 +09:00
Tatsuhiro Tsujikawa 651e147711 Allow client sending :protocol optimistically 2018-09-28 00:12:02 +09:00
Tatsuhiro Tsujikawa b80dfaa8a0 Adjustment for RFC 8441 2018-09-23 11:22:30 +09:00
Tatsuhiro Tsujikawa a19d8f5d31 Deal with :protocol pseudo header 2018-09-23 10:36:30 +09:00
Tatsuhiro Tsujikawa 842509dab6 Don't allow 101 HTTP status code because HTTP/2 removes HTTP Upgrade 2018-03-11 15:37:30 +09:00
Tatsuhiro Tsujikawa 85a12429ee Eliminate _U_ macro
Instead use (void)VAR for better compiler compatibility.
2017-03-11 18:45:49 +09:00
Tatsuhiro Tsujikawa 5645cad577 Accept and ignore content-length: 0 in 204 response for now 2016-12-03 14:57:16 +09:00
Tatsuhiro Tsujikawa 6ad9ddcdea Disallow content-length in 1xx, 204, or 200 to a CONNECT request 2016-11-03 17:26:32 +09:00
Tatsuhiro Tsujikawa 0cf6848646 clang-format-3.9 2016-10-15 18:36:04 +09:00
Tatsuhiro Tsujikawa ff0d137fb3 Reference counted HPACK name/value pair 2016-03-12 21:12:27 +09:00
Tatsuhiro Tsujikawa c7de58d865 Validate :authroity, host, and :scheme value more strictly 2016-01-16 15:11:48 +09:00
Tatsuhiro Tsujikawa 5e7e479c6c Workaround HTTP upgrade with HEAD request
By default, we check the length of response body matches
content-length.  For HEAD request, this is not necessarily true, so we
sniff request method, and if it is HEAD, make sure that response body
length is 0.  But this does not work for HTTP Upgrade, since
nghttp2_session_upgrade() has no parameter to tell the request method
was HEAD.  This commit disables this response body length validation
for the stream upgraded by HTTP Upgrade.  We will add new version of
nghttp2_session_upgrade with the parameter to pass the request method
information so that we can handle this situation properly.
2015-11-07 10:56:40 +09:00
Tatsuhiro Tsujikawa 170f2a144a Fix warning with gcc 2015-09-23 18:26:02 +09:00
Tatsuhiro Tsujikawa 28fe3e7e89 More warning flags for --enable-werror 2015-09-23 16:49:45 +09:00
Tatsuhiro Tsujikawa 93afbc7d2f Rewrite static header table handling
We rewrite static header table handling in nghttp2_hd.c.  We expand
nghttp2_token to include all static header table entries, and fully
use them in header compression and decompression.  The lookup function
is now located in nghttp2_hd.c.  We add new nghttp2_hd_inflate_hd2()
function to export token value for header name, then we pass it to
nghttp2_http_on_header function, so that we don't have to look up
token there.  We carefully set enum value of token to static table
index, so looking up static table is now O(1), assuming we have token.
2015-04-15 23:58:56 +09:00
Tatsuhiro Tsujikawa 6893608ae2 Use literal instead of computed value in token lookup 2015-03-21 23:03:37 +09:00
Tatsuhiro Tsujikawa ef913bc929 Validate :path header field
For "http" or "https" URIs, :path header field must start with "/".
The only exception is OPTIONS method, which can contain "*" to
represent system-wide OPTIONS request.
2015-03-21 23:03:37 +09:00
Tatsuhiro Tsujikawa 05b8901d69 Call on_invalid_frame_recv_callback on bad HTTP messaging 2015-02-26 22:59:07 +09:00
Tatsuhiro Tsujikawa f2a498e3c4 Disallow upper-cased header field name 2015-02-24 18:45:59 +09:00
Tatsuhiro Tsujikawa 814c7e68e0 Ignore regular headers if it includes illegal characters.
This commit only affects the library behaviour unless
nghttp2_option_set_no_http_messaging() is used.

We like strict validation against header field name and value against
RFC 7230, but we have already so much web sites and libraries in
public internet which do not obey these rules.  Simply just
terminating stream because of this may break web sites and it is too
disruptive.  So we decided that we should be conservative here so
those header fields containing illegal characters are just ignored.
But we are conservative only for regular headers.  We are strict for
pseudo headers since it is new to HTTP/2 and new implementations
should know the rules better.
2015-02-22 23:13:27 +09:00
Tatsuhiro Tsujikawa b39aa43537 Use C-style comment 2015-02-20 21:49:47 +09:00
Tatsuhiro Tsujikawa 83952ef0af Insert '_' before header name nghttp2_http_flag to consistent with token 2015-02-20 19:30:34 +09:00
Tatsuhiro Tsujikawa 3dbd2d31bd Early return after :method is seen 2015-02-20 19:26:34 +09:00
Tatsuhiro Tsujikawa b157d4ebb2 Validate HTTP semantics by default
Previously we did not check HTTP semantics and it is left out for
application.  Although checking is relatively easy, but they are
scattered and error prone.  We have implemented these checks in our
applications and also feel they are tedious.  To make application
development a bit easier, this commit adds basic HTTP semantics
validation to library code.  We do following checks:

server:

* HEADERS is either request header or trailer header.  Other type of
header is disallowed.

client:

* HEADERS is either zero or more non-final response header or final
  response header or trailer header.  Other type of header is
  disallowed.

For both:

* Check mandatory pseudo header fields.
* Make sure that content-length matches the amount of DATA we
  received.

If validation fails, RST_STREAM of type PROTOCOL_ERROR is issued.
2015-02-20 01:01:10 +09:00