Open Bug 1818483 Opened 2 years ago Updated 2 years ago

http3 - treat invalid characters in headers as protocol violation

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

People

(Reporter: manuel, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

See https://phabricator.services.mozilla.com/D170484#5617084

We currently sanitize header name and value by replacing invalid characters with spaces.

https://searchfox.org/mozilla-central/rev/75da1dd5d4b9b991f919a41594194eab93cdef62/netwerk/socket/neqo_glue/src/lib.rs#836-843

fn sanitize_header(mut y: Cow<[u8]>) -> Cow<[u8]> {
    for i in 0..y.len() {
        if matches!(y[i], b'\n' | b'\r' | b'\0') {
            y.to_mut()[i] = b' ';
        }
    }
    y
}

The spec says to treat it as invalid characters and raise a stream error of type H3_MESSAGE_ERROR

https://www.rfc-editor.org/rfc/rfc9114.html#section-4.1.2

A malformed request or response is one that is an otherwise valid sequence of frames but is invalid due to:
[...]

  • the inclusion of invalid characters in field names or values.

[...]
Intermediaries that process HTTP requests or responses (i.e., any intermediary not acting as a tunnel) MUST NOT forward a malformed request or response. Malformed requests or responses that are detected MUST be treated as a stream error of type H3_MESSAGE_ERROR.

[...] Clients MUST NOT accept a malformed response. [...]

Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.