From: Willy Tarreau Date: Fri, 16 May 2025 12:51:13 +0000 (+0200) Subject: BUG/MINOR: h3: don't insert more than one Host header X-Git-Tag: v3.0.11~22 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=df395f887f7bad97c1cce86005f1adeb94a61753;p=haproxy-3.0.git BUG/MINOR: h3: don't insert more than one Host header Let's make sure we drop extraneous Host headers after having compared them. That also works when :authority was already present. This way, like for h1 and h2, we only keep one copy of it, while still making sure that Host matches :authority. This way, if a request has both :authority and Host, only one Host header will be produced (from :authority). Note that due to the different organization of the code and wording along the evolving RFCs, here we also check that all duplicates are identical, while h2 ignores them as per RFC7540, but this will be re-unified later. This should be backported to stable versions, at least 2.8, though thanks to the existing checks the impact is probably nul. (cherry picked from commit b84762b3e0c0e7708ddc98ae6b721ed10dc1be30) Signed-off-by: Willy Tarreau (cherry picked from commit fd54c8ce6fb977e4591b73f677caf5743964bb45) Signed-off-by: Christopher Faulet --- diff --git a/src/h3.c b/src/h3.c index fe06d2e..39e98b9 100644 --- a/src/h3.c +++ b/src/h3.c @@ -828,12 +828,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, } if (isteq(list[hdr_idx].n, ist("host"))) { + struct ist prev_auth = authority; + if (h3_set_authority(qcs, &authority, list[hdr_idx].v)) { h3s->err = H3_ERR_MESSAGE_ERROR; qcc_report_glitch(h3c->qcc, 1); len = -1; goto out; } + + if (isttest(prev_auth)) { + /* skip duplicate Host header */ + ++hdr_idx; + continue; + } } else if (isteq(list[hdr_idx].n, ist("cookie"))) { http_cookie_register(list, hdr_idx, &cookie, &last_cookie);