From b84762b3e0c0e7708ddc98ae6b721ed10dc1be30 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 16 May 2025 14:51:13 +0200 Subject: [PATCH] BUG/MINOR: h3: don't insert more than one Host header Let's make sure we drop extraneous Host headers after having compared them. That also works when :authority was already present. This way, like for h1 and h2, we only keep one copy of it, while still making sure that Host matches :authority. This way, if a request has both :authority and Host, only one Host header will be produced (from :authority). Note that due to the different organization of the code and wording along the evolving RFCs, here we also check that all duplicates are identical, while h2 ignores them as per RFC7540, but this will be re-unified later. This should be backported to stable versions, at least 2.8, though thanks to the existing checks the impact is probably nul. --- src/h3.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/h3.c b/src/h3.c index 680589a65..d03c963c5 100644 --- a/src/h3.c +++ b/src/h3.c @@ -861,12 +861,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, } if (isteq(list[hdr_idx].n, ist("host"))) { + struct ist prev_auth = authority; + if (h3_set_authority(qcs, &authority, list[hdr_idx].v)) { h3s->err = H3_ERR_MESSAGE_ERROR; qcc_report_glitch(h3c->qcc, 1); len = -1; goto out; } + + if (isttest(prev_auth)) { + /* skip duplicate Host header */ + ++hdr_idx; + continue; + } } else if (isteq(list[hdr_idx].n, ist("cookie"))) { http_cookie_register(list, hdr_idx, &cookie, &last_cookie); -- 2.47.2