You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looking at HpackDecoder one may assume that at least pseudo-headers are checked, but in reality netty's http2 server handler accepts requests without any pseudo-headers - which are invalid, and should be rejected.
In fact netty's http2 server handler accepts requests without any headers at all.
http2 spec enumerates allowed headers and pseudo-headers in context of potential vulnerabilities,
Note that these requirements are intended to protect against several types of common attacks against HTTP;
they are deliberately strict because being permissive can expose implementations to these vulnerabilities
I dont know if these are applied to netty due to extra lax headers checks, but I think they must be stricter so library clients
do not have to apply protocol checks in application code just to avoid NPEs on Http2Headers path(), scheme(), method() etc
Steps to reproduce
Minimal yet complete reproducer code (or URL to code)
Netty version
4.1.52
JVM version (e.g. java -version)
OS version (e.g. uname -a)
The text was updated successfully, but these errors were encountered:
Expected behavior
If netty's http2 headers validation is enabled, headers are validated exhaustively as described in spec.
Actual behavior
Only tiny subset from 8.1.2 is accounted.
Looking at HpackDecoder one may assume that at least pseudo-headers are checked, but in reality netty's http2 server handler accepts requests without any pseudo-headers - which are invalid, and should be rejected.
In fact netty's http2 server handler accepts requests without any headers at all.
http2 spec enumerates allowed headers and pseudo-headers in context of potential vulnerabilities,
I dont know if these are applied to netty due to extra lax headers checks, but I think they must be stricter so library clients
do not have to apply protocol checks in application code just to avoid NPEs on Http2Headers
path()
,scheme()
,method()
etcSteps to reproduce
Minimal yet complete reproducer code (or URL to code)
Netty version
4.1.52
JVM version (e.g.
java -version
)OS version (e.g.
uname -a
)The text was updated successfully, but these errors were encountered: