Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http2: report invalid for spaced header names #33161

Closed
wants to merge 5 commits into from
Closed

http2: report invalid for spaced header names #33161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e90bf14
http2: add `invalidheaders` test
rexagod Apr 24, 2020
e492874
fix test structure and checks
rexagod Jun 7, 2020
f3ba48d
fix tests
rexagod Jun 8, 2020
8dedf1f
fix tests
rexagod Jun 8, 2020
e173ca1
fix tests
rexagod Jun 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/internal/http2/compat.js
View file
Open in desktop
Expand Up @@ -73,7 +73,7 @@ let statusConnectionHeaderWarned = false;
// close as possible to the current require('http') API

const assertValidHeader = hideStackFrames((name, value) => {
if (name === '' || typeof name !== 'string') {
if (name === '' || typeof name !== 'string' || name.indexOf(' ') >= 0) {
throw new ERR_INVALID_HTTP_TOKEN('Header name', name);
}
ronag marked this conversation as resolved.
Show resolved Hide resolved
if (isPseudoHeader(name)) {
Expand Down
6 changes: 5 additions & 1 deletion lib/internal/http2/util.js
View file
Open in desktop
Expand Up @@ -18,7 +18,8 @@ const {
ERR_HTTP2_INVALID_CONNECTION_HEADERS,
ERR_HTTP2_INVALID_PSEUDOHEADER,
ERR_HTTP2_INVALID_SETTING_VALUE,
ERR_INVALID_ARG_TYPE
ERR_INVALID_ARG_TYPE,
ERR_INVALID_HTTP_TOKEN
},
addCodeToName,
hideStackFrames
Expand Down Expand Up @@ -490,6 +491,9 @@ function mapToHeaders(map,
count++;
continue;
}
if (key.indexOf(' ') >= 0) {
throw new ERR_INVALID_HTTP_TOKEN('Header name', key);
}
if (isIllegalConnectionSpecificHeader(key, value)) {
throw new ERR_HTTP2_INVALID_CONNECTION_HEADERS(key);
}
Expand Down
65 changes: 65 additions & 0 deletions test/parallel/test-http2-invalidheaderfield.js
View file
Open in desktop
@@ -0,0 +1,65 @@
'use strict';
const common = require('../common');
if (!common.hasCrypto) { common.skip('missing crypto'); }

// Check for:
// Spaced headers
// Psuedo headers
// Capitalized headers

const http2 = require('http2');
const { throws, strictEqual } = require('assert');

const server = http2.createServer(common.mustCall((req, res) => {
throws(() => {
res.setHeader(':path', '/');
}, {
code: 'ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED'
});
throws(() => {
res.setHeader('t est', 123);
rexagod marked this conversation as resolved.
Show resolved Hide resolved
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.setHeader('TEST', 123);
res.setHeader('test_', 123);
res.setHeader(' test', 123);
res.end();
}));

server.listen(0, common.mustCall(() => {
const session1 = http2.connect(`http://localhost:${server.address().port}`);
session1.request({ 'test_': 123, 'TEST': 123 })
.on('end', common.mustCall(() => {
session1.close();
server.close();
}));

const session2 = http2.connect(`http://localhost:${server.address().port}`);
session2.on('error', common.mustCall((e) => {
strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
}));
throws(() => {
session2.request({ 't est': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});

const session3 = http2.connect(`http://localhost:${server.address().port}`);
session3.on('error', common.mustCall((e) => {
strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
}));
throws(() => {
session3.request({ ' test': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});

const session4 = http2.connect(`http://localhost:${server.address().port}`);
throws(() => {
session4.request({ ':test': 123 });
}, {
code: 'ERR_HTTP2_INVALID_PSEUDOHEADER'
});
session4.close();
}));
20 changes: 13 additions & 7 deletions test/parallel/test-http2-invalidheaderfields-client.js
View file
Open in desktop
Expand Up @@ -9,7 +9,11 @@ const server1 = http2.createServer();
server1.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server1.address().port}`);
// Check for req headers
session.request({ 'no underscore': 123 });
assert.throws(() => {
session.request({ 'no underscore': 123 });
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
session.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_INVALID_HTTP_TOKEN');
server1.close();
Expand All @@ -18,15 +22,18 @@ server1.listen(0, common.mustCall(() => {

const server2 = http2.createServer(common.mustCall((req, res) => {
// check for setHeader
res.setHeader('x y z', 123);
assert.throws(() => {
res.setHeader('x y z', 123);
}, {
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.end();
}));

server2.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server2.address().port}`);
const req = session.request();
req.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
req.on('end', common.mustCall(() => {
session.close();
server2.close();
}));
Expand All @@ -39,16 +46,15 @@ const server3 = http2.createServer(common.mustCall((req, res) => {
'an invalid header': 123
});
}), {
code: 'ERR_HTTP2_INVALID_STREAM'
code: 'ERR_INVALID_HTTP_TOKEN'
});
res.end();
}));

server3.listen(0, common.mustCall(() => {
const session = http2.connect(`http://localhost:${server3.address().port}`);
const req = session.request();
req.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, 'ERR_HTTP2_STREAM_ERROR');
req.on('end', common.mustCall(() => {
server3.close();
session.close();
}));
Expand Down