Add nghttp2_check_header_value_rfc9113 which verifies the additional
rule imposed by RFC 9113, section 8.2.1, that is a field value must
not start or end with 0x20(SPC) or 0x09(HTAB).
libnghttp2 uses this new function internally.
This commit adds PRIORITY_UPDATE frame support. Applying incoming
PRIORITY_UPDATE frame to server push stream is not implemented.
Client can send PRIORITY_UPDATE frame by calling
nghttp2_submit_priority_update.
Server opts to receive PRIORITY_UPDATE frame by the call
nghttp2_option_set_builtin_recv_extension_type(option,
NGHTTP2_PRIORITY_UPDATE), and passing the option to
nghttp2_session_server_new2 or nghttp2_session_server_new3.
This commit implements RFC 9218 extensible prioritization scheme. It
is enabled when a local endpoint submits
SETTINGS_NO_RFC7540_PRIORITIES = 1. This commit only handles priority
signal in HTTP request header field. Priority header field in
PUSH_PROMISE is not supported.
HTTP messaging must be enabled to take advantage of this
prioritization scheme because HTTP fields are not parsed if HTTP
messaging is disabled.
Check the allowed characters for ":method" (see RFC 7230, section 3.2.6) and
":path". For ":path", the space and tab characters are now forbidden, but
other special characters are still allowed for compatibility reasons.
Update genvchartbl.py so that it generates the same table as in the code.
Fixes#1611
By default, we check the length of response body matches
content-length. For HEAD request, this is not necessarily true, so we
sniff request method, and if it is HEAD, make sure that response body
length is 0. But this does not work for HTTP Upgrade, since
nghttp2_session_upgrade() has no parameter to tell the request method
was HEAD. This commit disables this response body length validation
for the stream upgraded by HTTP Upgrade. We will add new version of
nghttp2_session_upgrade with the parameter to pass the request method
information so that we can handle this situation properly.
We rewrite static header table handling in nghttp2_hd.c. We expand
nghttp2_token to include all static header table entries, and fully
use them in header compression and decompression. The lookup function
is now located in nghttp2_hd.c. We add new nghttp2_hd_inflate_hd2()
function to export token value for header name, then we pass it to
nghttp2_http_on_header function, so that we don't have to look up
token there. We carefully set enum value of token to static table
index, so looking up static table is now O(1), assuming we have token.
For "http" or "https" URIs, :path header field must start with "/".
The only exception is OPTIONS method, which can contain "*" to
represent system-wide OPTIONS request.
This commit only affects the library behaviour unless
nghttp2_option_set_no_http_messaging() is used.
We like strict validation against header field name and value against
RFC 7230, but we have already so much web sites and libraries in
public internet which do not obey these rules. Simply just
terminating stream because of this may break web sites and it is too
disruptive. So we decided that we should be conservative here so
those header fields containing illegal characters are just ignored.
But we are conservative only for regular headers. We are strict for
pseudo headers since it is new to HTTP/2 and new implementations
should know the rules better.
Previously we did not check HTTP semantics and it is left out for
application. Although checking is relatively easy, but they are
scattered and error prone. We have implemented these checks in our
applications and also feel they are tedious. To make application
development a bit easier, this commit adds basic HTTP semantics
validation to library code. We do following checks:
server:
* HEADERS is either request header or trailer header. Other type of
header is disallowed.
client:
* HEADERS is either zero or more non-final response header or final
response header or trailer header. Other type of header is
disallowed.
For both:
* Check mandatory pseudo header fields.
* Make sure that content-length matches the amount of DATA we
received.
If validation fails, RST_STREAM of type PROTOCOL_ERROR is issued.
Tatsuhiro Tsujikawa
Michael Kaufmann