aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>2015-06-06 18:07:00 +0900
committerDaniel Stenberg <daniel@haxx.se>2015-06-24 23:44:42 +0200
commitddb106d7f62cd6151461f95bf489342822f0dbf5 (patch)
tree55b2e258a682194c0386783d3b09661844d03c17
parent77044b53f7dc6e1c5c90a8f8bc17847adccdaaaa (diff)
http2: Harden header validation for curl_pushheader_byname
Since we do prefix match using given header by application code against header name pair in format "NAME:VALUE", and VALUE part can contain ":", we have to careful about existence of ":" in header parameter. ":" should be allowed to match HTTP/2 pseudo-header field, and other use of ":" in header must be treated as error, and curl_pushheader_byname should return NULL. This commit implements this behaviour.
-rw-r--r--lib/http2.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/http2.c b/lib/http2.c
index 4eae850c6..a6e2cc658 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -238,9 +238,14 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num)
*/
char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header)
{
- /* Verify that we got a good easy handle in the push header struct, mostly to
- detect rubbish input fast(er). */
- if(!h || !GOOD_EASY_HANDLE(h->data) || !header)
+ /* Verify that we got a good easy handle in the push header struct,
+ mostly to detect rubbish input fast(er). Also empty header name
+ is just a rubbish too. We have to allow ":" at the beginning of
+ the header, but header == ":" must be rejected. If we have ':' in
+ the middle of header, it could be matched in middle of the value,
+ this is because we do prefix match.*/
+ if(!h || !GOOD_EASY_HANDLE(h->data) || !header || !header[0] ||
+ Curl_raw_equal(header, ":") || strchr(header + 1, ':'))
return NULL;
else {
struct HTTP *stream = h->data->req.protop;