Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2: don't allow invalid characters in headers #33144

Closed
wants to merge 1 commit into from

Conversation

rexagod
Copy link
Member

@rexagod rexagod commented Apr 29, 2020

Refs: #29829

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added the http2 Issues or PRs related to the http2 subsystem. label Apr 29, 2020
@jasnell
Copy link
Member

jasnell commented Apr 29, 2020

These checks were left out of the http2 code largely because these characters are significantly less dangerous in http2 than http1 due to the way header encoding works. The invalid characters are also handled significantly better by implementations.

Specifically, in HTTP/1, because header bytes are written out directly to the stream, invalid characters are dangerous because they can introduce security issues that enable vulnerabilities like request/response smuggling/splitting. With HTTP2's binary framing and header encoding, those risks are eliminated and many http/2 implementations have improved checks at the header decoding layer to catch (and ignore) invalid headers when they are encountered.

These checks at the JavaScript layer, then, are not strictly needed the way they are in the HTTP/1 implementation and I'm not convinced we need them.

@BridgeAR
Copy link
Member

BridgeAR commented May 3, 2020

I am going to close this due to the mentioned comment. If anyone disagrees, please reopen, leave a comment or open a new PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
http2 Issues or PRs related to the http2 subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants