curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does curl validate the ":authority" header of HTTP/2 PUSH_PROMISE frames?

From: Nicolas Grekas via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 17 Feb 2019 14:33:41 +0100

We've just got an answer from nghttp2:
https://github.com/nghttp2/nghttp2/issues/1307

As suspected nghttp2 doesn't validate, so it's up to libcurl now.

The trivial way is to just accept the very authorities that was carried by
> the original client request. If you go beyond that, you end up evaluating
> certificate alt names, origin frames and maybe even the alt-svc settings
> that brought you there.
>

Not sure the RFC requires checking the origin frames nor the alt-svc:
https://http2.github.io/http2-spec/#rfc.section.10.1

In my app, I implemented the trivial logic, but doing the alt names
validation feels like risky: I'm not sure it's easy to implement properly,
while libcurl already embeds the logic when opening the connection.

I'd be really great if libcurl could do the validation by default!

I'm sorry I don't have the skils to implement this myself :(

Nicolas

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-02-17