From 7c596f5dea586c1ba99dfbe7f3ce1996d82f7de0 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 16 Sep 2019 15:32:58 +0200 Subject: http2: relax verification of :authority in push promise requests If the :authority pseudo header field doesn't contain an explicit port, we assume it is valid for the default port, instead of rejecting the request for all ports. Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html Closes #4365 --- lib/http2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/http2.c') diff --git a/lib/http2.c b/lib/http2.c index 31d2d698a..47583265d 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -967,7 +967,9 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, if(!check) /* no memory */ return NGHTTP2_ERR_CALLBACK_FAILURE; - if(!Curl_strcasecompare(check, (const char *)value)) { + if(!Curl_strcasecompare(check, (const char *)value) && + ((conn->remote_port != conn->given->defport) || + !Curl_strcasecompare(conn->host.name, (const char *)value))) { /* This is push is not for the same authority that was asked for in * the URL. RFC 7540 section 8.2 says: "A client MUST treat a * PUSH_PROMISE for which the server is not authoritative as a stream -- cgit v1.2.3