andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
05c2967e4a
netty5/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2Headers.java
Julien Hoarau 3e6b54bb59 Fix failing h2spec tests 8.1.2.1 related to pseudo-headers validation 
Motivation:

According to the spec:
All pseudo-header fields MUST appear in the header block before regular
header fields. Any request or response that contains a pseudo-header
field that appears in a header block after
a regular header field MUST be treated as malformed (Section 8.1.2.6).

Pseudo-header fields are only valid in the context in which they are defined.
Pseudo-header fields defined for requests MUST NOT appear in responses;
pseudo-header fields defined for responses MUST NOT appear in requests.
Pseudo-header fields MUST NOT appear in trailers.
Endpoints MUST treat a request or response that contains undefined or
invalid pseudo-header fields as malformed (Section 8.1.2.6).

Clients MUST NOT accept a malformed response. Note that these requirements
are intended to protect against several types of common attacks against HTTP;
they are deliberately strict because being permissive can expose
implementations to these vulnerabilities.

Modifications:

- Introduce validation in HPackDecoder

Result:

- Requests with unknown pseudo-field headers are rejected
- Requests with containing response specific pseudo-headers are rejected
- Requests where pseudo-header appear after regular header are rejected
- h2spec 8.1.2.1 pass
2018-01-29 19:42:56 -08:00

200 lines
6.5 KiB
Java
Raw Blame History

/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License, version 2.0 (the
* "License"); you may not use this file except in compliance with the License. You may obtain a
* copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
* or implied. See the License for the specific language governing permissions and limitations under
* the License.
*/
package io.netty.handler.codec.http2;
import io.netty.handler.codec.Headers;
import io.netty.util.AsciiString;
import io.netty.util.internal.UnstableApi;
import java.util.Iterator;
import java.util.Map.Entry;
/**
* A collection of headers sent or received via HTTP/2.
*/
@UnstableApi
public interface Http2Headers extends Headers<CharSequence, CharSequence, Http2Headers> {
/**
* HTTP/2 pseudo-headers names.
*/
enum PseudoHeaderName {
/**
* {@code :method}.
*/
METHOD(":method", true),
/**
* {@code :scheme}.
*/
SCHEME(":scheme", true),
/**
* {@code :authority}.
*/
AUTHORITY(":authority", true),
/**
* {@code :path}.
*/
PATH(":path", true),
/**
* {@code :status}.
*/
STATUS(":status", false);
private static final char PSEUDO_HEADER_PREFIX = ':';
private static final byte PSEUDO_HEADER_PREFIX_BYTE = (byte) PSEUDO_HEADER_PREFIX;
private final AsciiString value;
private final boolean requestOnly;
private static final CharSequenceMap<PseudoHeaderName> PSEUDO_HEADERS = new CharSequenceMap<PseudoHeaderName>();
static {
for (PseudoHeaderName pseudoHeader : PseudoHeaderName.values()) {
PSEUDO_HEADERS.add(pseudoHeader.value(), pseudoHeader);
}
}
PseudoHeaderName(String value, boolean requestOnly) {
this.value = AsciiString.cached(value);
this.requestOnly = requestOnly;
}
public AsciiString value() {
// Return a slice so that the buffer gets its own reader index.
return value;
}
/**
* Indicates whether the specified header follows the pseudo-header format (begins with ':' character)
*
* @return {@code true} if the header follow the pseudo-header format
*/
public static boolean hasPseudoHeaderFormat(CharSequence headerName) {
if (headerName instanceof AsciiString) {
final AsciiString asciiHeaderName = (AsciiString) headerName;
return asciiHeaderName.length() > 0 && asciiHeaderName.byteAt(0) == PSEUDO_HEADER_PREFIX_BYTE;
} else {
return headerName.length() > 0 && headerName.charAt(0) == PSEUDO_HEADER_PREFIX;
}
}
/**
* Indicates whether the given header name is a valid HTTP/2 pseudo header.
*/
public static boolean isPseudoHeader(CharSequence header) {
return PSEUDO_HEADERS.contains(header);
}
/**
* Returns the {@link PseudoHeaderName} corresponding to the specified header name.
*
* @return corresponding {@link PseudoHeaderName} if any, {@code null} otherwise.
*/
public static PseudoHeaderName getPseudoHeader(CharSequence header) {
return PSEUDO_HEADERS.get(header);
}
/**
* Indicates whether the pseudo-header is to be used in a request context.
*
* @return {@code true} if the pseudo-header is to be used in a request context
*/
public boolean isRequestOnly() {
return requestOnly;
}
}
/**
* Returns an iterator over all HTTP/2 headers. The iteration order is as follows:
* 1. All pseudo headers (order not specified).
* 2. All non-pseudo headers (in insertion order).
*/
@Override
Iterator<Entry<CharSequence, CharSequence>> iterator();
/**
* Equivalent to {@link #getAll(Object)} but no intermediate list is generated.
* @param name the name of the header to retrieve
* @return an {@link Iterator} of header values corresponding to {@code name}.
*/
Iterator<CharSequence> valueIterator(CharSequence name);
/**
* Sets the {@link PseudoHeaderName#METHOD} header or {@code null} if there is no such header
*/
Http2Headers method(CharSequence value);
/**
* Sets the {@link PseudoHeaderName#SCHEME} header if there is no such header
*/
Http2Headers scheme(CharSequence value);
/**
* Sets the {@link PseudoHeaderName#AUTHORITY} header or {@code null} if there is no such header
*/
Http2Headers authority(CharSequence value);
/**
* Sets the {@link PseudoHeaderName#PATH} header or {@code null} if there is no such header
*/
Http2Headers path(CharSequence value);
/**
* Sets the {@link PseudoHeaderName#STATUS} header or {@code null} if there is no such header
*/
Http2Headers status(CharSequence value);
/**
* Gets the {@link PseudoHeaderName#METHOD} header or {@code null} if there is no such header
*/
CharSequence method();
/**
* Gets the {@link PseudoHeaderName#SCHEME} header or {@code null} if there is no such header
*/
CharSequence scheme();
/**
* Gets the {@link PseudoHeaderName#AUTHORITY} header or {@code null} if there is no such header
*/
CharSequence authority();
/**
* Gets the {@link PseudoHeaderName#PATH} header or {@code null} if there is no such header
*/
CharSequence path();
/**
* Gets the {@link PseudoHeaderName#STATUS} header or {@code null} if there is no such header
*/
CharSequence status();
/**
* Returns {@code true} if a header with the {@code name} and {@code value} exists, {@code false} otherwise.
* <p>
* If {@code caseInsensitive} is {@code true} then a case insensitive compare is done on the value.
*
* @param name the name of the header to find
* @param value the value of the header to find
* @param caseInsensitive {@code true} then a case insensitive compare is run to compare values.
* otherwise a case sensitive compare is run to compare values.
*/
boolean contains(CharSequence name, CharSequence value, boolean caseInsensitive);
}
Reference in New Issue View Git Blame Copy Permalink