RE: Attack research on HTTP/2 implementations from Mike Bishop on 2021-08-06 (ietf-http-wg@w3.org from July to September 2021)

From: Mike Bishop <mbishop@evequefou.be>
Date: Fri, 6 Aug 2021 15:04:33 +0000
To: Nick Harper <ietf@nharper.org>, Willy Tarreau <w@1wt.eu>
CC: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <mt@lowentropy.net>
Message-ID: <BLAPR22MB22598F5A2D27F8C12F72B143DAF39@BLAPR22MB2259.namprd22.prod.outlook.com>

:authority isn’t included in the list because it’s slightly different – it’s not mandatory.  So the others must occur exactly once (which is stated), while :authority must occur no more than once (which isn’t).

But yes, that should be called out explicitly.

From: Nick Harper <ietf@nharper.org>
Sent: Friday, August 6, 2021 1:10 AM
To: Willy Tarreau <w@1wt.eu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>; Martin Thomson <mt@lowentropy.net>
Subject: Re: Attack research on HTTP/2 implementations

On Thu, Aug 5, 2021 at 9:57 PM Willy Tarreau <w@1wt.eu<mailto:w@1wt.eu>> wrote:
On Thu, Aug 05, 2021 at 09:01:33PM -0700, Nick Harper wrote:
> I see that draft-ietf-httpbis-http2bis-03 has new
> language to mostly cover that issue. I say "mostly" because I don't see any
> specification of what should happen if multiple :authority pseudo-headers
> are present. (I would argue that that is a malformed request.)

Yep it's malformed. In 7540#8.1.2.3, it was already said:

   All HTTP/2 requests MUST include exactly one valid value for the
   ":method", ":scheme", and ":path" pseudo-header fields, ...

Unless I’m misreading something, that only covers some pseudo-headers, but it doesn’t include :authority. (The same language missing :authority is in http2bis section 8.3.1.)

Received on Friday, 6 August 2021 15:04:48 UTC