curl / Mailing Lists / curl-library / Single Mail


Re: Does curl validate the ":authority" header of HTTP/2 PUSH_PROMISE frames?

From: Stefan Eissing via curl-library <>
Date: Thu, 14 Feb 2019 16:04:19 +0100

> Am 14.02.2019 um 15:26 schrieb Daniel Stenberg via curl-library <>:
> Then the question remains if nghttp2 does the check for us, but browsed around in that code for a while and I can't say I'm entirely sure of my findings but I couldn't see that it checked for this. I'm afraid this leaves me unable to answer the question with absolute certainty for the moment.

Such a decision to reject certain :authority is either trivial or gets very complicated really fast.

The trivial way is to just accept the very authorities that was carried by the original client request. If you go beyond that, you end up evaluating certificate alt names, origin frames and maybe even the alt-svc settings that brought you there.

nghttp2 is too 'low level' for the latter, I think. So I would not be surprised if it skips this altogether. To at least enforce the trivial check in curl with some option to disable would be a good idea, probably.


Note that tests with Apache h2 will not help as the code in the server only pushes same domains. For similar reasons. One source of PUSHes are Link: headers from the application or a proxied server and I do not really trust those.
Received on 2019-02-14