Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"is http2" detection doesn't seem quite correct #989

Closed
mitchellwrosen opened this issue May 6, 2024 · 5 comments · Fixed by #991
Closed

"is http2" detection doesn't seem quite correct #989

mitchellwrosen opened this issue May 6, 2024 · 5 comments · Fixed by #991
Assignees

Comments

@mitchellwrosen
Copy link
Contributor

if S.length bs0 >= 4 && "PRI " `S.isPrefixOf` bs0

Here we seem to determine whether this is an HTTP/2 request by reading some bytes off the wire, and if they are PRI , it is.

But there's no guarantee we read 4 bytes, of course. We could read PR, determine this isn't an HTTP/2 request, go down the HTTP/1 code path and proceed to read the remaining I !

@kazu-yamamoto
Copy link
Contributor

Right.
But a question is whether or not we should rescue this corner case.

@mitchellwrosen
Copy link
Contributor Author

Why is that a question?

@kazu-yamamoto
Copy link
Contributor

Clients to send a few bytes at the beginning seem malicious.
Should we treat them kindly?

@davean
Copy link

davean commented May 8, 2024 via email

@mitchellwrosen
Copy link
Contributor Author

mitchellwrosen commented May 9, 2024

@kazu-yamamoto For sure; it's clearly a corner case. Nonetheless, it's exactly the kind of thing I would expect to be handled correctly in a web server!

Regarding this,

Clients to send a few bytes at the beginning seem malicious.

My understanding is that even if an honest client sends a legitimately-sized "packet" of bytes, the server can nonetheless read an arbitrary number of them at each call to read().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants