x/net/http2: validate received header values #14029
Description
The Go http2 implementation (client & server) validates header values (the validHeader func) but I missed the very next sentence in the http2 spec before:
https://httpwg.github.io/specs/rfc7540.html#rfc.section.10.3
Similarly, HTTP/2 allows header field values that are not valid. While most of the values that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by an attacker if they are translated verbatim. Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the field-content ABNF rule in Section 3.2 of [RFC7230].
I only thought to go look because I saw a mention of it in the gRPC wire protocol docs:
Note that HTTP2 does not allow arbitrary octet sequences for header values so binary header values must be encoded using Base64
Needs to be fixed in both the client & server, next to existing checks like:
if !validHeader(f.Name) {
rl.reqMalformed = errInvalidHeaderKey
return false
}