What happened?
RFC 9114 Section 4.2 :“Characters in field names MUST be converted to lowercase prior to their encoding. A request or response that contains uppercase characters in field names MUST be treated as malformed.”
xquic在发送端(xqc_h3_request_make_name_lowercase)检测到大写字段名时,仅将其转换为小写后继续发送,而不是拒绝该请求。在接收端,QPACK解码后完全没有对字段名进行大写检测。RFC要求包含大写字符的请求/响应必须视为格式错误,而非静默修正。
xqc_h3_request.c:484-530 xqc_h3_request_make_name_lowercase() 仅用于发送端; 接收端无大写检测
nghttp3_http.c:530-563 nghttp3_http_on_header() 在 http_check_nonempty_header_name 中检测大写字母(A-Z在VALID_HD_NAME_CHARS中标记为-1),返回 NGHTTP3_ERR_MALFORMED_HTTP_HEADER
在接收端添加字段名大写检测,发现大写字母时返回H3_MESSAGE_ERROR流错误
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output
What happened?
RFC 9114 Section 4.2 :“Characters in field names MUST be converted to lowercase prior to their encoding. A request or response that contains uppercase characters in field names MUST be treated as malformed.”
xquic在发送端(xqc_h3_request_make_name_lowercase)检测到大写字段名时,仅将其转换为小写后继续发送,而不是拒绝该请求。在接收端,QPACK解码后完全没有对字段名进行大写检测。RFC要求包含大写字符的请求/响应必须视为格式错误,而非静默修正。
xqc_h3_request.c:484-530 xqc_h3_request_make_name_lowercase() 仅用于发送端; 接收端无大写检测
nghttp3_http.c:530-563 nghttp3_http_on_header() 在 http_check_nonempty_header_name 中检测大写字母(A-Z在VALID_HD_NAME_CHARS中标记为-1),返回 NGHTTP3_ERR_MALFORMED_HTTP_HEADER
在接收端添加字段名大写检测,发现大写字母时返回H3_MESSAGE_ERROR流错误
Steps To Reproduce
Information and Steps to reproduce the behavior.
Relevant log output