W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Attack research on HTTP/2 implementations

From: Nick Harper <ietf@nharper.org>
Date: Thu, 5 Aug 2021 22:10:21 -0700
Message-ID: <CACcvr=kkncDJky+5sBU+UZpAjn_09UfZgsVn=sXEFB6KtCACtQ@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <mt@lowentropy.net>
On Thu, Aug 5, 2021 at 9:57 PM Willy Tarreau <w@1wt.eu> wrote:

> On Thu, Aug 05, 2021 at 09:01:33PM -0700, Nick Harper wrote:
> > I see that draft-ietf-httpbis-http2bis-03 has new
> > language to mostly cover that issue. I say "mostly" because I don't see
> any
> > specification of what should happen if multiple :authority pseudo-headers
> > are present. (I would argue that that is a malformed request.)
>
> Yep it's malformed. In 7540#8.1.2.3, it was already said:
>
>    All HTTP/2 requests MUST include exactly one valid value for the
>    ":method", ":scheme", and ":path" pseudo-header fields, ...
>

Unless I’m misreading something, that only covers some pseudo-headers, but
it doesn’t include :authority. (The same language missing :authority is in
http2bis section 8.3.1.)
Received on Friday, 6 August 2021 05:10:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 6 August 2021 05:10:47 UTC