[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 26/222: http2: relax verification of :authority in push promise
From: |
gnunet |
Subject: |
[gnurl] 26/222: http2: relax verification of :authority in push promise requests |
Date: |
Thu, 07 Nov 2019 00:08:42 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 7c596f5dea586c1ba99dfbe7f3ce1996d82f7de0
Author: Christoph M. Becker <address@hidden>
AuthorDate: Mon Sep 16 15:32:58 2019 +0200
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.
Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html
Closes #4365
---
lib/http2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/http2.c b/lib/http2.c
index 31d2d698a..47583265d 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -967,7 +967,9 @@ static int on_header(nghttp2_session *session, const
nghttp2_frame *frame,
if(!check)
/* no memory */
return NGHTTP2_ERR_CALLBACK_FAILURE;
- if(!Curl_strcasecompare(check, (const char *)value)) {
+ if(!Curl_strcasecompare(check, (const char *)value) &&
+ ((conn->remote_port != conn->given->defport) ||
+ !Curl_strcasecompare(conn->host.name, (const char *)value))) {
/* This is push is not for the same authority that was asked for in
* the URL. RFC 7540 section 8.2 says: "A client MUST treat a
* PUSH_PROMISE for which the server is not authoritative as a stream
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 17/222: docs: fix typo in CURLOPT_HTTP_VERSION man, (continued)
- [gnurl] 17/222: docs: fix typo in CURLOPT_HTTP_VERSION man, gnunet, 2019/11/06
- [gnurl] 18/222: docs: remove trailing ':' from section names in CURLOPT_TRAILER* man, gnunet, 2019/11/06
- [gnurl] 25/222: doh: clean up dangling DOH handles and memory on easy close, gnunet, 2019/11/06
- [gnurl] 14/222: FTP: allow "rubbish" prepended to the SIZE response, gnunet, 2019/11/06
- [gnurl] 22/222: quiche: persist connection details, gnunet, 2019/11/06
- [gnurl] 19/222: doh: fix (harmless) buffer overrun, gnunet, 2019/11/06
- [gnurl] 24/222: unit1655: make it C90 compliant, gnunet, 2019/11/06
- [gnurl] 21/222: openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version, gnunet, 2019/11/06
- [gnurl] 16/222: CI: inintial github action job, gnunet, 2019/11/06
- [gnurl] 20/222: doh: fix undefined behaviour and open up for gcc and clang optimization, gnunet, 2019/11/06
- [gnurl] 26/222: http2: relax verification of :authority in push promise requests,
gnunet <=
- [gnurl] 27/222: url: cleanup dangling DOH request headers too, gnunet, 2019/11/06
- [gnurl] 28/222: mime: when disabled, avoid C99 macro, gnunet, 2019/11/06
- [gnurl] 32/222: url: only reuse TLS connections with matching pinning, gnunet, 2019/11/06
- [gnurl] 39/222: ftp: Expression 'ftpc->wait_data_conn' is always true, gnunet, 2019/11/06
- [gnurl] 46/222: easy: part of conditional expression is always true: !result, gnunet, 2019/11/06
- [gnurl] 30/222: http: merge two "case" statements, gnunet, 2019/11/06
- [gnurl] 36/222: doh: avoid truncating DNS QTYPE to lower octet, gnunet, 2019/11/06
- [gnurl] 29/222: FTP: remove trailing slash from path for LIST/MLSD, gnunet, 2019/11/06
- [gnurl] 43/222: url: remove dead code, gnunet, 2019/11/06
- [gnurl] 42/222: url: part of expression is always true: (bundle->multiuse == 0), gnunet, 2019/11/06