Skip to content

Commit 43c2540

Browse files
neildgopherbot
neild
authored and
gopherbot
committed
http2, internal/httpcommon: reject userinfo in :authority
RFC 9113, section 8.3.1: The :authority (host) in an HTTP request must not include a userinfo (e.g., user@host). Change-Id: I459a3da40b825c9662467778f582050c7358f8bb Reviewed-on: https://go-review.googlesource.com/c/net/+/652456 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Jonathan Amsterdam <[email protected]> Auto-Submit: Damien Neil <[email protected]>
1 parent 1d78a08 commit 43c2540

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

http2/server_test.go

+20
Original file line numberDiff line numberDiff line change
@@ -1032,6 +1032,26 @@ func TestServer_Request_Reject_Pseudo_Unknown(t *testing.T) {
10321032
})
10331033
}
10341034

1035+
func TestServer_Request_Reject_Authority_Userinfo(t *testing.T) {
1036+
// "':authority' MUST NOT include the deprecated userinfo subcomponent
1037+
// for "http" or "https" schemed URIs."
1038+
// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8
1039+
testRejectRequest(t, func(st *serverTester) {
1040+
var buf bytes.Buffer
1041+
enc := hpack.NewEncoder(&buf)
1042+
enc.WriteField(hpack.HeaderField{Name: ":authority", Value: "[email protected]"})
1043+
enc.WriteField(hpack.HeaderField{Name: ":method", Value: "GET"})
1044+
enc.WriteField(hpack.HeaderField{Name: ":path", Value: "/"})
1045+
enc.WriteField(hpack.HeaderField{Name: ":scheme", Value: "https"})
1046+
st.writeHeaders(HeadersFrameParam{
1047+
StreamID: 1, // clients send odd numbers
1048+
BlockFragment: buf.Bytes(),
1049+
EndStream: true,
1050+
EndHeaders: true,
1051+
})
1052+
})
1053+
}
1054+
10351055
func testRejectRequest(t *testing.T, send func(*serverTester)) {
10361056
st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {
10371057
t.Error("server request made it to handler; should've been rejected")

internal/httpcommon/request.go

+10
Original file line numberDiff line numberDiff line change
@@ -432,6 +432,16 @@ func NewServerRequest(rp ServerRequestParam) ServerRequestResult {
432432
}
433433
}
434434
delete(rp.Header, "Trailer")
435+
436+
// "':authority' MUST NOT include the deprecated userinfo subcomponent
437+
// for "http" or "https" schemed URIs."
438+
// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8
439+
if strings.IndexByte(rp.Authority, '@') != -1 && (rp.Scheme == "http" || rp.Scheme == "https") {
440+
return ServerRequestResult{
441+
InvalidReason: "userinfo_in_authority",
442+
}
443+
}
444+
435445
var url_ *url.URL
436446
var requestURI string
437447
if rp.Method == "CONNECT" && rp.Protocol == "" {

0 commit comments

Comments
 (0)