-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"is http2" detection doesn't seem quite correct #989
Comments
Right. |
Why is that a question? |
Clients to send a few bytes at the beginning seem malicious. |
This sounds like an argument for ossification
<https://en.wikipedia.org/wiki/Protocol_ossification> over correctness.
Why shouldn't it be able to handle a semantically correct connection if the
server chooses to?
…On Tue, May 7, 2024 at 7:29 PM Kazu Yamamoto ***@***.***> wrote:
Clients to send a few bytes at the beginning seem malicious.
Should we treat them kindly?
—
Reply to this email directly, view it on GitHub
<#989 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABZLS7V2ZZFVPWO2RLE6VLZBFPUTAVCNFSM6AAAAABHI5Z2ZSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJZGQ3TAOJTGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@kazu-yamamoto For sure; it's clearly a corner case. Nonetheless, it's exactly the kind of thing I would expect to be handled correctly in a web server! Regarding this,
My understanding is that even if an honest client sends a legitimately-sized "packet" of bytes, the server can nonetheless read an arbitrary number of them at each call to |
wai/warp/Network/Wai/Handler/Warp/Run.hs
Line 390 in 2a7399f
Here we seem to determine whether this is an HTTP/2 request by reading some bytes off the wire, and if they are
PRI
, it is.But there's no guarantee we read 4 bytes, of course. We could read
PR
, determine this isn't an HTTP/2 request, go down the HTTP/1 code path and proceed to read the remainingI
!The text was updated successfully, but these errors were encountered: