HTTPCORE-692 add new rules for H2 header check as rfc7540 section 8.1.2.2 and 8.1.2.3 defined

Author: yinwoods

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2RequestConverter.java

@@ -106,7 +106,12 @@ public HttpRequest convert(final List<Header> headers) throws HttpException {
                         throw new ProtocolException("Unsupported request header '%s'", name);
                 }
             } else {
-                if (name.equalsIgnoreCase(HttpHeaders.CONNECTION)) {
+                if (name.equalsIgnoreCase(HttpHeaders.CONNECTION) || name.equalsIgnoreCase(HttpHeaders.KEEP_ALIVE)
+                    || name.equalsIgnoreCase(HttpHeaders.PROXY_CONNECTION) || name.equalsIgnoreCase(HttpHeaders.TRANSFER_ENCODING)
+                    || name.equalsIgnoreCase(HttpHeaders.HOST) || name.equalsIgnoreCase(HttpHeaders.UPGRADE)) {
+                    throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
+                }
+                if (name.equalsIgnoreCase(HttpHeaders.TE) && !value.equalsIgnoreCase("trailers")) {
                     throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
                 }
                 messageHeaders.add(header);
@@ -189,8 +194,13 @@ public List<Header> convert(final HttpRequest message) throws HttpException {
             if (name.startsWith(":")) {
                 throw new ProtocolException("Header name '%s' is invalid", name);
             }
-            if (name.equalsIgnoreCase(HttpHeaders.CONNECTION)) {
-                throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", name, value);
+            if (name.equalsIgnoreCase(HttpHeaders.CONNECTION) || name.equalsIgnoreCase(HttpHeaders.KEEP_ALIVE)
+                || name.equalsIgnoreCase(HttpHeaders.PROXY_CONNECTION) || name.equalsIgnoreCase(HttpHeaders.TRANSFER_ENCODING)
+                || name.equalsIgnoreCase(HttpHeaders.HOST) || name.equalsIgnoreCase(HttpHeaders.UPGRADE)) {
+                throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
+            }
+            if (name.equalsIgnoreCase(HttpHeaders.TE) && !value.equalsIgnoreCase("trailers")) {
+                throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
             }
             headers.add(new BasicHeader(TextUtils.toLowerCase(name), value));
         }

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2ResponseConverter.java

@@ -82,7 +82,8 @@ public HttpResponse convert(final List<Header> headers) throws HttpException {
                     throw new ProtocolException("Unsupported response header '%s'", name);
                 }
             } else {
-                if (name.equalsIgnoreCase(HttpHeaders.CONNECTION)) {
+                if (name.equalsIgnoreCase(HttpHeaders.CONNECTION) || name.equalsIgnoreCase(HttpHeaders.KEEP_ALIVE)
+                    || name.equalsIgnoreCase(HttpHeaders.TRANSFER_ENCODING) || name.equalsIgnoreCase(HttpHeaders.UPGRADE)) {
                     throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
                 }
                 messageHeaders.add(header);
@@ -123,8 +124,9 @@ public List<Header> convert(final HttpResponse message) throws HttpException {
             if (name.startsWith(":")) {
                 throw new ProtocolException("Header name '%s' is invalid", name);
             }
-            if (name.equalsIgnoreCase(HttpHeaders.CONNECTION)) {
-                throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", name, value);
+            if (name.equalsIgnoreCase(HttpHeaders.CONNECTION) || name.equalsIgnoreCase(HttpHeaders.KEEP_ALIVE)
+                || name.equalsIgnoreCase(HttpHeaders.TRANSFER_ENCODING) || name.equalsIgnoreCase(HttpHeaders.UPGRADE)) {
+                throw new ProtocolException("Header '%s: %s' is illegal for HTTP/2 messages", header.getName(), header.getValue());
             }
             headers.add(new BasicHeader(TextUtils.toLowerCase(name), value));
         }

httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2RequestConverter.java

@@ -358,6 +358,89 @@ public void testConvertFromMessageConnectionHeader() throws Exception {
                 HttpException.class, () -> converter.convert(request));
     }
 
+    @Test
+    public void testConvertFromFieldsKeepAliveHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("Keep-Alive", "timeout=5, max=1000");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'Keep-Alive: timeout=5, max=1000' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsProxyConnectionHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("Proxy-Connection", "keep-alive");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'Proxy-Connection: Keep-Alive' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsTransferEncodingHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("Transfer-Encoding", "gzip");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'Transfer-Encoding: gzip' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsHostHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("Host", "host");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'Host: host' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsUpgradeHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("Upgrade", "example/1, foo/2");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'Upgrade: example/1, foo/2' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsTEHeader() throws Exception {
+        final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");
+        request.addHeader("TE", "gzip");
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        Assert.assertThrows("Header 'TE: gzip' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(request));
+    }
+
+    @Test
+    public void testConvertFromFieldsTETrailerHeader() throws Exception {
+
+        final List<Header> headers = Arrays.asList(
+            new BasicHeader(":method", "GET"),
+            new BasicHeader(":scheme", "http"),
+            new BasicHeader(":authority", "www.example.com"),
+            new BasicHeader(":path", "/"),
+            new BasicHeader("te", "trailers"));
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+        final HttpRequest request = converter.convert(headers);
+        Assert.assertNotNull(request);
+        Assert.assertEquals("GET", request.getMethod());
+        Assert.assertEquals("http", request.getScheme());
+        Assert.assertEquals(new URIAuthority("www.example.com"), request.getAuthority());
+        Assert.assertEquals("/", request.getPath());
+        final Header[] allHeaders = request.getHeaders();
+        Assert.assertEquals(1, allHeaders.length);
+        Assert.assertEquals("te", allHeaders[0].getName());
+        Assert.assertEquals("trailers", allHeaders[0].getValue());
+    }
+
     @Test
     public void testConvertFromMessageInvalidHeader() throws Exception {
         final HttpRequest request = new BasicHttpRequest("GET", new HttpHost("host"), "/");

httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2ResponseConverter.java

@@ -95,6 +95,42 @@ public void testConvertFromFieldsConnectionHeader() throws Exception {
                 HttpException.class, () -> converter.convert(headers));
     }
 
+    @Test
+    public void testConvertFromFieldsKeepAliveHeader() throws Exception {
+        final List<Header> headers = Arrays.asList(
+            new BasicHeader(":status", "200"),
+            new BasicHeader("location", "http://www.example.com/"),
+            new BasicHeader("keep-alive", "timeout=5, max=1000"));
+
+        final DefaultH2ResponseConverter converter = new DefaultH2ResponseConverter();
+        Assert.assertThrows("Header 'keep-alive: timeout=5, max=1000' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(headers));
+    }
+
+    @Test
+    public void testConvertFromFieldsTransferEncodingHeader() throws Exception {
+        final List<Header> headers = Arrays.asList(
+            new BasicHeader(":status", "200"),
+            new BasicHeader("location", "http://www.example.com/"),
+            new BasicHeader("transfer-encoding", "gzip"));
+
+        final DefaultH2ResponseConverter converter = new DefaultH2ResponseConverter();
+        Assert.assertThrows("Header 'transfer-encoding: gzip' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(headers));
+    }
+
+    @Test
+    public void testConvertFromFieldsUpgradeHeader() throws Exception {
+        final List<Header> headers = Arrays.asList(
+            new BasicHeader(":status", "200"),
+            new BasicHeader("location", "http://www.example.com/"),
+            new BasicHeader("upgrade", "example/1, foo/2"));
+
+        final DefaultH2ResponseConverter converter = new DefaultH2ResponseConverter();
+        Assert.assertThrows("Header 'upgrade: example/1, foo/2' is illegal for HTTP/2 messages",
+                            HttpException.class, () -> converter.convert(headers));
+    }
+
     @Test
     public void testConvertFromFieldsMissingStatus() throws Exception {
         final List<Header> headers = Arrays.asList(

httpcore5/src/main/java/org/apache/hc/core5/http/HttpHeaders.java

@@ -167,6 +167,8 @@ private HttpHeaders() {
 
     public static final String PROXY_AUTHORIZATION = "Proxy-Authorization";
 
+    public static final String PROXY_CONNECTION = "Proxy-Connection";
+
     public static final String RANGE = "Range";
 
     public static final String REFERER = "Referer";