Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP/3+quiche with :status not coming first does wrong #4571

Closed
bagder opened this issue Nov 8, 2019 · 0 comments
Closed

HTTP/3+quiche with :status not coming first does wrong #4571

bagder opened this issue Nov 8, 2019 · 0 comments
Labels
HTTP/3 h3 or quic related

Comments

@bagder
Copy link
Member

bagder commented Nov 8, 2019

Bug originally filed by @securityinsanity against quiche at cloudflare/quiche#248

Quiche, unlike nghttp2 and nghttp3 doesn't provide :status as the first psuedo header returned (and HTTP/3 itself doesn't enforce that it is, just that pseudo headers should come before "regular" ones), which curl presumes it will and therefore the h3->h1 header conversion will fail if that happens.

There's still a discussion with the quiche team going on whether this should be fixed in quiche or in curl.

@bagder bagder added the HTTP/3 h3 or quic related label Nov 8, 2019
bagder added a commit that referenced this issue Nov 8, 2019
:status doesn't have to be the first psuedo header to arrive so this
code now makes sure to handle that. A typical HTTP/3 response of course
doesn't provide any other psuedo headers...

Fixes #4571
bagder added a commit that referenced this issue Nov 8, 2019
:status doesn't have to be the first header from quiche to arrive so
this code now makes sure to handle such events. HTTP/3 (and HTTP/2)
mandates:

"All pseudo-header fields MUST appear in the header block before regular
header fields"

Fixes #4571
bagder added a commit that referenced this issue Nov 11, 2019
Pseudo header MUST come before regular headers or cause an error.

Reported-by: Cynthia Coan
Fixes #4571
@bagder bagder closed this as completed in b3eb7d1 Nov 12, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Feb 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
HTTP/3 h3 or quic related
1 participant