Add validation that HTTP/2 :scheme is consistent with TLS usage

Author: markt-asf

java/org/apache/catalina/connector/CoyoteAdapter.java

@@ -555,9 +555,10 @@ public String getDomain() {
     protected boolean postParseRequest(org.apache.coyote.Request req, Request request, org.apache.coyote.Response res,
             Response response) throws IOException, ServletException {
 
-        // If the processor has set the scheme (AJP does this, HTTP does this if
-        // SSL is enabled) use this to set the secure flag as well. If the
-        // processor hasn't set it, use the settings from the connector
+        /*
+         * If the processor has set the scheme (AJP and HTTP/2 do this, HTTP/1.x does this if SSL is enabled), use this
+         * to set the secure flag as well. If the processor hasn't set it, use the settings from the connector.
+         */
         if (req.scheme().isNull()) {
             // Use connector scheme and secure configuration, (defaults to
             // "http" and false respectively)

java/org/apache/coyote/http2/LocalStrings.properties

@@ -98,6 +98,7 @@ stream.header.contentLength=Connection [{0}], Stream [{1}], The content length h
 stream.header.debug=Connection [{0}], Stream [{1}], HTTP header [{2}], Value [{3}]
 stream.header.duplicate=Connection [{0}], Stream [{1}], received multiple [{2}] headers
 stream.header.empty=Connection [{0}], Stream [{1}], Invalid empty header name
+stream.header.inconsistentScheme=Connection [{0}], Stream [{1}], The scheme [{2}] is not consistent with the TLS enabled setting of [{3}]
 stream.header.invalid=Connection [{0}], Stream [{1}], The header [{2}] contained invalid value [{3}]
 stream.header.noPath=Connection [{0}], Stream [{1}], The [:path] pseudo header was empty
 stream.header.required=Connection [{0}], Stream [{1}], One or more required headers was missing

java/org/apache/coyote/http2/Stream.java

@@ -394,6 +394,13 @@ public final void emitHeader(String name, String value) throws HpackException {
             case ":scheme": {
                 if (coyoteRequest.scheme().isNull()) {
                     coyoteRequest.scheme().setString(value);
+                    // Check scheme is consistent with TLS usage
+                    if ("https".equals(value) != handler.getProtocol().getHttp11Protocol().isSSLEnabled()) {
+                        headerException = new StreamException(
+                                sm.getString("stream.header.inconsistentScheme", getConnectionId(), getIdAsString(),
+                                value, Boolean.toString(handler.getProtocol().getHttp11Protocol().isSSLEnabled())),
+                                Http2Error.PROTOCOL_ERROR, getIdAsInt());
+                    }
                 } else {
                     headerException = new StreamException(
                             sm.getString("stream.header.duplicate", getConnectionId(), getIdAsString(), ":scheme"),

test/org/apache/coyote/http2/Http2TestBase.java

@@ -377,7 +377,11 @@ protected void buildPostRequest(byte[] headersFrameHeader, ByteBuffer headersPay
 
         MimeHeaders headers = new MimeHeaders();
         headers.addValue(":method").setString(Method.POST);
-        headers.addValue(":scheme").setString("http");
+        if (getTomcatInstance().getConnector().getSecure()) {
+            headers.addValue(":scheme").setString("https");
+        } else {
+            headers.addValue(":scheme").setString("http");
+        }
         headers.addValue(":path").setString(path);
         headers.addValue(":authority").setString("localhost:" + getPort());
         if (useExpectation) {

test/org/apache/coyote/http2/TestHttp2Section_8_3.java

@@ -0,0 +1,74 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.coyote.http2;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.tomcat.util.http.Method;
+
+/**
+ * Unit tests for Section 8.3 of <a href="https://tools.ietf.org/html/rfc9113#section-8.3">RFC 9113</a>.
+ */
+public class TestHttp2Section_8_3 extends Http2TestBase {
+
+    /*
+     * Not explicitly specified in section 8.3 but closely aligned to it.
+     */
+
+    @Test
+    public void testSchemeInconsistencyNonTLS() throws Exception {
+        testSchemeInconsistenct(false);
+    }
+
+
+    @Test
+    public void testSchemeInconsistencyTLS() throws Exception {
+        testSchemeInconsistenct(true);
+    }
+
+
+    private void testSchemeInconsistenct(boolean connectionUsesTls) throws Exception {
+        // Start HTTP/2 over non-TLS connection
+        http2Connect(connectionUsesTls);
+
+        byte[] frameHeader = new byte[9];
+        ByteBuffer headersPayload = ByteBuffer.allocate(128);
+
+        List<Header> headers = new ArrayList<>(4);
+        headers.add(new Header(":method", Method.GET));
+        if (connectionUsesTls) {
+            headers.add(new Header(":scheme", "http"));
+        } else {
+            headers.add(new Header(":scheme", "https"));
+        }
+        headers.add(new Header(":path", "/simple"));
+        headers.add(new Header(":authority", "localhost:" + getPort()));
+
+        buildGetRequest(frameHeader, headersPayload, null, headers, 3);
+
+        writeFrame(frameHeader, headersPayload);
+
+        parser.readFrame();
+
+        Assert.assertEquals("3-RST-[1]\n", output.getTrace());
+    }
+}

webapps/docs/changelog.xml

@@ -188,6 +188,10 @@
       <fix>
         Add TLS 1.3 groups added in OpenSSL 4.0. (remm)
       </fix>
+      <fix>
+        Add validation that the HTTP/2 <code>:scheme</code> pseudo-header is
+        consistent with the use (or not) of TLS. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">