Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify :authority in HTTP/2 server push #3577

Closed
bagder opened this issue Feb 17, 2019 · 0 comments
Closed

Verify :authority in HTTP/2 server push #3577

bagder opened this issue Feb 17, 2019 · 0 comments
Assignees
@bagder
Labels
HTTP/2

Comments

@bagder
Copy link
Member

bagder commented Feb 17, 2019

I did this

Nicolas Grekas correctly pointed out on the mailing list that libcurl doesn't verify the :athority header correct in the push headers, as described in RFC 7540:

The server MUST include a value in the :authority pseudo-header field for which the server is authoritative (see Section 10.1). A client MUST treat a PUSH_PROMISE for which the server is not authoritative as a stream error (Section 5.4.2) of type PROTOCOL_ERROR.

Right now, libcurl leaves that check for the application without it being documented or explained.

I expected the following

libcurl needs to check the header and reject pushes for non-validated authorities.

curl/libcurl version

curl master

operating system

All
@bagder bagder added the HTTP/2 label Feb 17, 2019
@bagder bagder self-assigned this Feb 17, 2019
bagder added a commit that referenced this issue Feb 18, 2019
@bagder
http2: verify :athority in push promise requests
228cb25 
RFC 7540 says we should verify that the push is for an "authoritative"
server. We make sure of this by only allowing push with an :athority
header that matches the host that was asked for in the URL.

Fixes #3577
Reported-by: Nicolas Grekas
Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
@bagder bagder mentioned this issue Feb 18, 2019
Closed
@bagder bagder closed this as completed in aa5a28b Feb 20, 2019
@nicolas-grekas nicolas-grekas mentioned this issue Mar 3, 2019
Merged
@lock lock bot locked as resolved and limited conversation to collaborators May 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bagder bagder

Labels
HTTP/2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

http2: verify :athority in push promise requests curl/curl
1 participant
@bagder