projects / haproxy-3.1.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dcb963f) | patch
BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly
authorWilly Tarreau <w@1wt.eu>
Mon, 12 May 2025 15:45:33 +0000 (17:45 +0200)
committerChristopher Faulet <cfaulet@haproxy.com>
Mon, 2 Jun 2025 14:20:37 +0000 (16:20 +0200)
commit479befa356966c12a0a0ead74971750de4ac4499
tree89e472d10dd985432035cad9fe2f021116ddebd9tree | snapshot
parentdcb963f9d777af39926e83f20e0a3c65c54f3bc0commit | diff
BUG/MEDIUM: h2/h3: reject some forbidden chars in :authority before reassembly

As discussed here:
   https://github.com/httpwg/http2-spec/pull/936
   https://github.com/haproxy/haproxy/issues/2941

It's important to take care of some special characters in the :authority
pseudo header before reassembling a complete URI, because after assembly
it's too late (e.g. the '/'). This patch does this, both for h2 and h3.

The impact on H2 was measured in the worst case at 0.3% of the request
rate, while the impact on H3 is around 1%, but H3 was about 1% faster
than H2 before and is now on par.

It may be backported after a period of observation, and in this case it
relies on this previous commit:

   MINOR: http: add a function to validate characters of :authority

Thanks to @DemiMarie for reviving this topic in issue #2941 and bringing
new potential interesting cases.

(cherry picked from commit 9a05c1f57490ba3adb378ad8e6e26830425514e7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
src/h2.c diff | blob | history
src/h3.c diff | blob | history
haproxy-3.1 public tree. Stable production code.