W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Attack research on HTTP/2 implementations

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 6 Aug 2021 06:57:27 +0200
To: Nick Harper <ietf@nharper.org>
Cc: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20210806045727.GC25391@1wt.eu>
On Thu, Aug 05, 2021 at 09:01:33PM -0700, Nick Harper wrote:
> > I agree, unless I'm mistaken, everything that was attacked there is
> > already dealt with in the spec (allowed characters in values & names
> > etc).
> >
> I saw one thing in the paper that I don't think is addressed by RFC 7540:
> the handling of a request that contains both an :authority pseudo-header
> and a Host header.

This is in fact addressed by HTTP: when you have :authority, it becomes
the authority part of the URI and must match the Host header field. But
I agree that it's not always trivial to address.

> I see that draft-ietf-httpbis-http2bis-03 has new
> language to mostly cover that issue. I say "mostly" because I don't see any
> specification of what should happen if multiple :authority pseudo-headers
> are present. (I would argue that that is a malformed request.)

Yep it's malformed. In 7540#, it was already said:

   All HTTP/2 requests MUST include exactly one valid value for the
   ":method", ":scheme", and ":path" pseudo-header fields, ...

Received on Friday, 6 August 2021 04:57:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 6 August 2021 04:57:47 UTC