What happened?
RFC 9114 Section 4.3:
“All pseudo-header fields MUST appear in the header section before regular header fields. Any request or response that contains a pseudo-header field that appears after a regular header field MUST be treated as malformed.”
不合规 – 仅在发送端排序,接收端无验证
xquic在发送端将伪头字段排在普通头字段之前,但在接收端完全没有验证伪头字段是否出现在普通头字段之前。如果对端发送的头部中伪头字段出现在普通头字段之后,xquic不会将其视为格式错误。
xqc_h3_stream.c (xqc_h3_stream_process_request) 接收端无伪头字段顺序验证
nghttp3_http.c:538-543 nghttp3_http_on_header() 通过 NGHTTP3_HTTP_FLAG_PSEUDO_HEADER_DISALLOWED 标志位跟踪,一旦出现普通头字段就设置此标志,后续伪头字段出现时返回 NGHTTP3_ERR_MALFORMED_HTTP_HEADER
修复建议:
在接收端添加伪头字段顺序验证,检测到伪头字段出现在普通字段之后时返回H3_MESSAGE_ERROR
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output
What happened?
RFC 9114 Section 4.3:
“All pseudo-header fields MUST appear in the header section before regular header fields. Any request or response that contains a pseudo-header field that appears after a regular header field MUST be treated as malformed.”
不合规 – 仅在发送端排序,接收端无验证
xquic在发送端将伪头字段排在普通头字段之前,但在接收端完全没有验证伪头字段是否出现在普通头字段之前。如果对端发送的头部中伪头字段出现在普通头字段之后,xquic不会将其视为格式错误。
xqc_h3_stream.c (xqc_h3_stream_process_request) 接收端无伪头字段顺序验证
nghttp3_http.c:538-543 nghttp3_http_on_header() 通过 NGHTTP3_HTTP_FLAG_PSEUDO_HEADER_DISALLOWED 标志位跟踪,一旦出现普通头字段就设置此标志,后续伪头字段出现时返回 NGHTTP3_ERR_MALFORMED_HTTP_HEADER
修复建议:
在接收端添加伪头字段顺序验证,检测到伪头字段出现在普通字段之后时返回H3_MESSAGE_ERROR
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output