From ddb106d7f62cd6151461f95bf489342822f0dbf5 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 6 Jun 2015 18:07:00 +0900 Subject: http2: Harden header validation for curl_pushheader_byname Since we do prefix match using given header by application code against header name pair in format "NAME:VALUE", and VALUE part can contain ":", we have to careful about existence of ":" in header parameter. ":" should be allowed to match HTTP/2 pseudo-header field, and other use of ":" in header must be treated as error, and curl_pushheader_byname should return NULL. This commit implements this behaviour. --- lib/http2.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/http2.c b/lib/http2.c index 4eae850c6..a6e2cc658 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -238,9 +238,14 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num) */ char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header) { - /* Verify that we got a good easy handle in the push header struct, mostly to - detect rubbish input fast(er). */ - if(!h || !GOOD_EASY_HANDLE(h->data) || !header) + /* Verify that we got a good easy handle in the push header struct, + mostly to detect rubbish input fast(er). Also empty header name + is just a rubbish too. We have to allow ":" at the beginning of + the header, but header == ":" must be rejected. If we have ':' in + the middle of header, it could be matched in middle of the value, + this is because we do prefix match.*/ + if(!h || !GOOD_EASY_HANDLE(h->data) || !header || !header[0] || + Curl_raw_equal(header, ":") || strchr(header + 1, ':')) return NULL; else { struct HTTP *stream = h->data->req.protop; -- cgit v1.2.3