Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What characters are permitted #846

Merged
merged 7 commits into from
Jun 3, 2021
Merged

What characters are permitted #846

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f82ea92
What characters are permitted
martinthomson Apr 23, 2021
5ba1891
e
martinthomson Apr 28, 2021
995fbf0
Restore field name
martinthomson Apr 28, 2021
bf4686b
Warning: messages might be invalid
martinthomson Apr 29, 2021
fef6a4f
Add Mark's suggestions
martinthomson May 20, 2021
4b361c0
Refactor text
martinthomson May 20, 2021
05686ee
Is this better?
martinthomson May 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 38 additions & 16 deletions draft-ietf-httpbis-http2bis.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2847,10 +2847,38 @@
registered HTTP fields, see the "Hypertext Transfer Protocol (HTTP) Field Name Registry" registry maintained at <eref target="https://www.iana.org/assignments/http-fields/"/>.
</t>
<t>
Just as in HTTP/1.x, field names are strings of ASCII characters that are
compared in a case-insensitive fashion. Field names MUST be converted
to lowercase prior to their encoding in HTTP/2. A request or response containing
uppercase header field names MUST be treated as <xref target="malformed">malformed</xref>.
Field names are strings of ASCII characters that are compared in a case-insensitive
fashion. Field names MUST be converted to lowercase when constructing a HTTP/2
message. A request or response containing an uppercase character ('A' to 'Z', ASCII 0x41
to 0x5a) MUST be treated as <xref target="malformed">malformed</xref>.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

obvious observation but this sentence loses the "field" subject, which seems worse than the previous version

</t>
<t>
HPACK is capable of carrying field names or values that are not valid in HTTP. Though
HPACK can carry octets with any value, fields are not valid in the following cases:
martinthomson marked this conversation as resolved.
Show resolved Hide resolved
</t>
<ul>
<li>
A carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character
(NUL, ASCII 0x0) MUST NOT be included at any position in a field name or value.
</li>
<li>
With the exception of <xref target="PseudoHeaderFields">pseudo-header fields</xref>,
which have a name that starts with a single colon, field names MUST NOT include a
colon (COLON, ASCII 0x3a).
</li>
<li>
A field name or value MUST NOT start or end with a whitespace character (SP or HTAB,
ASCII 0x20 or 0x9).
</li>
martinthomson marked this conversation as resolved.
Show resolved Hide resolved
</ul>
mnot marked this conversation as resolved.
Show resolved Hide resolved
<t>
A request or response that contains a field that violates any of these conditions MUST
be treated as <xref target="malformed">malformed</xref>.
</t>
<t>
Field values that are not valid according to the definition of the corresponding field
do not cause a requst to be <xref target="malformed" format="none">malformed</xref>
martinthomson marked this conversation as resolved.
Show resolved Hide resolved
except as defined by the processing rules for the field.
</t>
<section anchor="PseudoHeaderFields">
<name>Pseudo-Header Fields</name>
Expand Down Expand Up @@ -3707,18 +3735,12 @@
<section>
<name>Intermediary Encapsulation Attacks</name>
<t>
The HTTP/2 field block encoding allows the expression of names that are not valid field
names in HTTP. Requests or responses containing
invalid field names MUST be treated as <xref target="malformed">malformed</xref>.
An intermediary therefore cannot translate an HTTP/2 request or response containing an
invalid field name into an HTTP/1.1 message.
</t>
<t>
Similarly, HTTP/2 allows field values that are not valid. While most of the values
that can be encoded will not alter header field parsing, carriage return (CR, ASCII 0xd),
line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0) might be exploited by
an attacker if they are translated verbatim. Any request or response that contains a
character not permitted in a field value MUST be treated as <xref target="malformed">malformed</xref>. Valid characters are defined by the <tt>field-content</tt> ABNF rule in <xref target="HTTP" section="5.5"/>.
Lukasa marked this conversation as resolved.
Show resolved Hide resolved
HPACK permits encoding of field names and values that might be treated as delimiters in
other HTTP versions. An intermediary that translates an HTTP/2 request or response MUST
validate fields according to the rules in <xref target="HttpHeaders"/> roles before
translating a message to another HTTP version. Translating a field that includes invalid
delimiters could be used to cause recipients to incorrectly interpret a message, which
could be exploited by an attacker.
</t>
</section>
<section>
Expand Down