Enforce restrictions on request-target formats #1279

natemcmaster · 2017-01-04T01:09:37Z

We currently accept some malformed requests that are not adherent to the HTTP/1.1 spec.

Example:

relative paths GET ../../ HTTP/1.1 is not a valid format at all. Should be rejected.
authority-form GET www.contoso.com HTTP/1.1 is invalid, but Kestrel will accept anyways.
asterisk-form GET * HTTP/1.1 is invalid, but Kestrel will accept anyways.

Restrictions on request-target that are not currently enforced:

authority-form are only valid for CONNECT requests https://tools.ietf.org/html/rfc7230#section-5.3.3
asterisk-form should only by used with OPTIONS requests https://tools.ietf.org/html/rfc7230#section-5.3.4

The text was updated successfully, but these errors were encountered:

natemcmaster mentioned this issue Jan 7, 2017

Handle requests using absolute-form request URIs #1246

Closed

muratg assigned natemcmaster Feb 3, 2017

muratg added 1 - Ready bug labels Feb 3, 2017

muratg added this to the 2.0.0 milestone Feb 3, 2017

natemcmaster mentioned this issue Feb 28, 2017

Added test for query string without path #1406

Closed

natemcmaster added 2 - Working and removed 1 - Ready labels Mar 9, 2017

natemcmaster mentioned this issue Mar 9, 2017

Handle absolute, asterisk, and authority-form request targets #1470

Merged

natemcmaster closed this as completed in #1470 Mar 10, 2017

natemcmaster added 3 - Done and removed 2 - Working labels Mar 10, 2017

Provide feedback