curl / Mailing Lists / curl-library / Single Mail


Re: Does curl validate the ":authority" header of HTTP/2 PUSH_PROMISE frames?

From: Daniel Stenberg via curl-library <>
Date: Thu, 14 Feb 2019 15:26:37 +0100 (CET)

On Wed, 13 Feb 2019, Nicolas Grekas via curl-library wrote:

> Does curl validate the ":authority" header of HTTP/2 PUSH_PROMISE frames or
> is this left as an "exercise" to implementers?

> The RFC says it MUST be validated, so maybe that's already done by default?
> Does anyone know?

That's a very good question.

It isn't documented in the libcurl docs for push, which I would be suitable.

I don't think this is a responsibility that should be pushed to the
application. Not only because it isn't documented, but perhaps more
importantly because the spec says so on a protocol level and we shouldn't hand
over that burden to the app if we can avoid I think.

I think it is clear that curl doesn't do the check.

Then the question remains if nghttp2 does the check for us, but browsed around
in that code for a while and I can't say I'm entirely sure of my findings but
I couldn't see that it checked for this. I'm afraid this leaves me unable to
answer the question with absolute certainty for the moment.

Do you have a setup where you can verify if such a "bad" header will be
ignored and be left for the application to check?

Received on 2019-02-14