BUG/MEDIUM: h2: do not accept upper case letters in request header names

This is explicitly forbidden by 7540#8.1.2, and may be used to bypass
some of the other filters, so they must be blocked early. It removes
another issue reported by h2spec.

To backport to 1.8.

diff --git a/src/h2.c b/src/h2.c
index 64f27fe20def48501f36a0eb47dd5f23af62e42d..43ed7f3c8dd234ef291c45e36950ab6f5acc6f3f 100644 (file)
--- a/src/h2.c
+++ b/src/h2.c
@@ -133,6 +133,7 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
        int ck, lck; /* cookie index and last cookie index */
        int phdr;
        int ret;
+       int i;
 
        lck = ck = -1; // no cookie for now
        fields = 0;
@@ -143,6 +144,11 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
                }
                else {
                        /* this can be any type of header */
+                       /* RFC7540#8.1.2: upper case not allowed in header field names */
+                       for (i = 0; i < list[idx].n.len; i++)
+                               if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A')
+                                       goto fail;
+
                        phdr = h2_str_to_phdr(list[idx].n);
                }