Let header validator find host header field when :authority pseudo-header field is missing #324
Conversation
naokiiwakami
commented
Feb 4, 2025
naokiiwakami
commented
…eader field is missing
Motivation:
Some proxy server sends target host name and port number in host header field instead of
using :authority pseudo-header field. According to the HTTP/3 spec, this is a valid
way to send the target endpoint, but current header validator checks only :authority header.
It causes false-positive request validation errors.
Modifications:
Class Http3HeadersSink checks if host header field exists when :authority pseudo-header is
missing in the request.
Result:
No false-positive request validation errors.
|
@naokiiwakami did you sign our icla yet ? https://netty.io/s/icla |
| * https://www.rfc-editor.org/rfc/rfc9110#section-7.2 | ||
| */ | ||
| private boolean authorityOrHostHeaderReceived() { | ||
| return (receivedPseudoHeaders & AUTHORITY.getFlag()) == AUTHORITY.getFlag() || headers.contains("host"); |
| @@ -16,6 +16,8 @@ | |||
| package io.netty.incubator.codec.http3; | |||
|
|
|||
|
|
|||
| import com.google.common.net.HttpHeaders; | |||
There was a problem hiding this comment.
Replace by our own HttpHeaderNames class
Motivation:
To replace hard-coded string and to remove unnecessary dependency.
Modifications:
Used netty's HttpHeaderNames class for host header field name.
Result:
Cleaner code.
|
Hi Norman, thanks for looking into the PR. I have addressed your comments.
I have signed it. |
|
The automated test failed https://github.com/netty/netty-incubator-codec-http3/actions/runs/13137920730/job/36657661053 It seems that the test does not allow a PR from a fork. But I only have a fork. Did I do anything wrong?
|
|
@naokiiwakami Thanks a lot! |
