|
|
90c0d6 |
diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
|
|
|
90c0d6 |
index 6bc062e..570b871 100644
|
|
|
90c0d6 |
--- a/bin/varnishd/http2/cache_http2_hpack.c
|
|
|
90c0d6 |
+++ b/bin/varnishd/http2/cache_http2_hpack.c
|
|
|
90c0d6 |
@@ -97,11 +97,16 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
|
|
90c0d6 |
/* XXX: This might belong in cache/cache_http.c */
|
|
|
90c0d6 |
const char *b0;
|
|
|
90c0d6 |
unsigned n;
|
|
|
90c0d6 |
+ int disallow_empty;
|
|
|
90c0d6 |
+ char *p;
|
|
|
90c0d6 |
+ int i;
|
|
|
90c0d6 |
|
|
|
90c0d6 |
CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
|
|
|
90c0d6 |
AN(b);
|
|
|
90c0d6 |
assert(namelen >= 2); /* 2 chars from the ': ' that we added */
|
|
|
90c0d6 |
assert(namelen <= len);
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
+ disallow_empty = 0;
|
|
|
90c0d6 |
|
|
|
90c0d6 |
if (len > UINT_MAX) { /* XXX: cache_param max header size */
|
|
|
90c0d6 |
VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
|
|
|
90c0d6 |
@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
|
|
90c0d6 |
b += namelen;
|
|
|
90c0d6 |
len -= namelen;
|
|
|
90c0d6 |
n = HTTP_HDR_METHOD;
|
|
|
90c0d6 |
+ disallow_empty = 1;
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
+ /* First field cannot contain SP or CTL */
|
|
|
90c0d6 |
+ for (p = b, i = 0; i < len; p++, i++) {
|
|
|
90c0d6 |
+ if (vct_issp(*p) || vct_isctl(*p))
|
|
|
90c0d6 |
+ return (H2SE_PROTOCOL_ERROR);
|
|
|
90c0d6 |
+ }
|
|
|
90c0d6 |
} else if (!strncmp(b, ":path: ", namelen)) {
|
|
|
90c0d6 |
b += namelen;
|
|
|
90c0d6 |
len -= namelen;
|
|
|
90c0d6 |
n = HTTP_HDR_URL;
|
|
|
90c0d6 |
+ disallow_empty = 1;
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
+ /* Second field cannot contain LWS or CTL */
|
|
|
90c0d6 |
+ for (p = b, i = 0; i < len; p++, i++) {
|
|
|
90c0d6 |
+ if (vct_islws(*p) || vct_isctl(*p))
|
|
|
90c0d6 |
+ return (H2SE_PROTOCOL_ERROR);
|
|
|
90c0d6 |
+ }
|
|
|
90c0d6 |
} else if (!strncmp(b, ":scheme: ", namelen)) {
|
|
|
90c0d6 |
/* XXX: What to do about this one? (typically
|
|
|
90c0d6 |
"http" or "https"). For now set it as a normal
|
|
|
90c0d6 |
@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
|
|
90c0d6 |
b++;
|
|
|
90c0d6 |
len-=1;
|
|
|
90c0d6 |
n = hp->nhd;
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
+ for (p = b + namelen, i = 0; i < len-namelen;
|
|
|
90c0d6 |
+ p++, i++) {
|
|
|
90c0d6 |
+ if (vct_issp(*p) || vct_isctl(*p))
|
|
|
90c0d6 |
+ return (H2SE_PROTOCOL_ERROR);
|
|
|
90c0d6 |
+ }
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
+ if (!i)
|
|
|
90c0d6 |
+ return (H2SE_PROTOCOL_ERROR);
|
|
|
90c0d6 |
} else if (!strncmp(b, ":authority: ", namelen)) {
|
|
|
90c0d6 |
b+=6;
|
|
|
90c0d6 |
len-=6;
|
|
|
90c0d6 |
@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
|
|
90c0d6 |
hp->hd[n].b = b;
|
|
|
90c0d6 |
hp->hd[n].e = b + len;
|
|
|
90c0d6 |
|
|
|
90c0d6 |
+ if (disallow_empty && !Tlen(hp->hd[n])) {
|
|
|
90c0d6 |
+ VSLb(hp->vsl, SLT_BogoHeader,
|
|
|
90c0d6 |
+ "Empty pseudo-header %.*s",
|
|
|
90c0d6 |
+ (int)namelen, b0);
|
|
|
90c0d6 |
+ return (H2SE_PROTOCOL_ERROR);
|
|
|
90c0d6 |
+ }
|
|
|
90c0d6 |
+
|
|
|
90c0d6 |
return (0);
|
|
|
90c0d6 |
}
|
|
|
90c0d6 |
|