http2: headers validation is non-exhaustive, allows requests with completely empty headers

[mostroverkhov]

Expected behavior

If netty's http2 headers validation is enabled, headers are validated exhaustively as described in spec.

Actual behavior

Only tiny subset from 8.1.2 is accounted.

Looking at HpackDecoder one may assume that at least pseudo-headers are checked, but in reality netty's http2 server handler accepts requests without any pseudo-headers - which are invalid, and should be rejected.

In fact netty's http2 server handler accepts requests without any headers at all.

http2 spec enumerates allowed headers and pseudo-headers in context of potential vulnerabilities,

Note that these requirements are intended to protect against several types of common attacks against HTTP; 
they are deliberately strict because being permissive can expose  implementations to these vulnerabilities

I dont know if these are applied to netty due to extra lax headers checks, but I think they must be stricter so library clients
do not have to apply protocol checks in application code just to avoid NPEs on Http2Headers path(), scheme(), method() etc

Steps to reproduce

Minimal yet complete reproducer code (or URL to code)

Netty version

4.1.52

JVM version (e.g. java -version)

OS version (e.g. uname -a)