From 262561fae1aad08550870efa4234c6c5659bd680 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Thu, 25 Mar 2021 07:53:55 -0400
Subject: [PATCH] [core] ignore empty headers unless pseudo-headers

(thx daex)

(reported on IRC)

x-ref:
  "ignore empty headers unless HTTP/2 pseudo-headers"
  https://redmine.lighttpd.net/boards/2/topics/9720
---
 src/request.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/request.c b/src/request.c
index 88484d5bf..3c8970818 100644
--- a/src/request.c
+++ b/src/request.c
@@ -677,9 +677,6 @@ http_request_parse_header (request_st * const restrict r, http_header_parse_ctx
     if (0 == klen)
         return http_request_header_line_invalid(r, 400,
           "invalid header key -> 400");
-    if (0 == vlen)
-        return http_request_header_line_invalid(r, 400,
-          "invalid header value -> 400");
 
     if ((hpctx->hlen += klen + vlen + 4) > hpctx->max_request_field_size) {
         /*(configurable with server.max-request-field-size; default 8k)*/
@@ -705,6 +702,9 @@ http_request_parse_header (request_st * const restrict r, http_header_parse_ctx
             if (!hpctx->pseudo) /*(pseudo header after non-pseudo header)*/
                 return http_request_header_line_invalid(r, 400,
                   "invalid pseudo-header -> 400");
+            if (0 == vlen)
+                return http_request_header_line_invalid(r, 400,
+                  "invalid header value -> 400");
             switch (klen-1) {
               case 4:
                 if (0 == memcmp(k+1, "path", 4)) {
@@ -778,6 +778,8 @@ http_request_parse_header (request_st * const restrict r, http_header_parse_ctx
                                                    hpctx->http_parseopts);
                 if (0 != status) return status;
             }
+            if (0 == vlen)
+                return 0;
 
             const unsigned int http_header_strict =
               (hpctx->http_parseopts & HTTP_PARSEOPT_HEADER_STRICT);
@@ -836,6 +838,11 @@ http_request_parse_header (request_st * const restrict r, http_header_parse_ctx
          * XXX: must ensure that trailers are not disallowed field-names
          */
 
+      #if 0
+        if (0 == vlen)
+            return 0;
+      #endif
+
         return 0;
     }
 }