New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update picohttpparser and reject multiline headers #1933
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR. LGTM modulo some nit-picking comments. Please let me know what you think.
lib/common/http1client.c
Outdated
@@ -265,6 +265,11 @@ static void on_head(h2o_socket_t *sock, const char *err) | |||
|
|||
/* fill-in the headers */ | |||
for (i = 0; i != num_headers; ++i) { | |||
if (src_headers[i].name_len == 0) { | |||
/* reject multiline header */ | |||
on_error_before_head(client, "received multiline header that is not allowed"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"line folding of header fields is not supported"?
lib/http1.c
Outdated
{ | ||
if (body == NULL) | ||
body = "Bad Request"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we consistently specify the body on the call side?
6d49b7b
to
cfdbb3c
Compare
LGTM!!! |
This PR intends to add the following three changes:
GET HTTP/1.1\r\n\r\n
)/ HTTP/1.1\r\n\r\n
)