From bdca206043a3bf1dc9890af040bd2ce380317a82 Mon Sep 17 00:00:00 2001
From: Arthur LE MOIGNE <arthur.lemoigne@gmail.com>
Date: Thu, 18 Mar 2021 18:34:57 +0100
Subject: [PATCH] Deny requerst if :authority field is invalid only with
 CONNECT method

Signed-off-by: Arthur LE MOIGNE <arthur.lemoigne@gmail.com>
---
 src/server.rs | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/server.rs b/src/server.rs
index 16a50da4..337b2a63 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -1466,13 +1466,27 @@ impl proto::Peer for Peer {
         // header
         if let Some(authority) = pseudo.authority {
             let maybe_authority = uri::Authority::from_maybe_shared(authority.clone().into_inner());
-            parts.authority = Some(maybe_authority.or_else(|why| {
-                malformed!(
-                    "malformed headers: malformed authority ({:?}): {}",
-                    authority,
-                    why,
-                )
-            })?);
+
+            // `:authority` is required only with `CONNECT` method.
+            // It should contains host and port. This is exactly what `uri::Authority` is
+            // going to parse.
+            //
+            // See: https://datatracker.ietf.org/doc/html/rfc7540#section-8.3
+            if is_connect {
+                if let Err(why) = &maybe_authority {
+                    malformed!(
+                        "malformed headers: malformed authority ({:?}): {}",
+                        authority,
+                        why,
+                    );
+                }
+            }
+
+            // `authority` is not required in HTTP/2, so it is safe to keep it `None`
+            // in `parts`.
+            //
+            // See: https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.3
+            parts.authority = maybe_authority.ok();
         }
 
         // A :scheme is required, except CONNECT.