fix: HeaderName::from_lowercase allowing NUL bytes in some cases

seanmonstar · seanmonstar · commit 96dc52f51333 · 2024-03-04T11:24:03.000-05:00
If a byte slice larger than 64 bytes is passed to
`HeaderName::from_lowercase`, it could allow NUL bytes. This fixes the
bug.

Reported-by: squirrel8@email.cz
diff --git a/src/header/name.rs b/src/header/name.rs
@@ -1176,9 +1176,9 @@ impl HeaderName {
             }
             Repr::Custom(MaybeLower { buf, lower: false }) => {
                 for &b in buf.iter() {
-                    // HEADER_CHARS maps all bytes that are not valid single-byte
+                    // HEADER_CHARS_H2 maps all bytes that are not valid single-byte
                     // UTF-8 to 0 so this check returns an error for invalid UTF-8.
-                    if b != HEADER_CHARS[b as usize] {
+                    if HEADER_CHARS_H2[b as usize] == 0 {
                         return Err(InvalidHeaderName::new());
                     }
                 }
@@ -1904,4 +1904,16 @@ mod tests {
     fn test_all_tokens() {
         HeaderName::from_static("!#$%&'*+-.^_`|~0123456789abcdefghijklmnopqrstuvwxyz");
     }
+
+    #[test]
+    fn test_from_lowercase() {
+        HeaderName::from_lowercase(&[0; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[b'A'; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[0x1; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[0xFF; 10]).unwrap_err();
+        //HeaderName::from_lowercase(&[0; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[b'A'; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[0x1; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[0xFF; 100]).unwrap_err();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -1176,9 +1176,9 @@ impl HeaderName {`
`1176`	`1176`	`}`
`1177`	`1177`	`Repr::Custom(MaybeLower { buf, lower: false }) => {`
`1178`	`1178`	`for &b in buf.iter() {`
`1179`		`- // HEADER_CHARS maps all bytes that are not valid single-byte`
	`1179`	`+ // HEADER_CHARS_H2 maps all bytes that are not valid single-byte`
`1180`	`1180`	`// UTF-8 to 0 so this check returns an error for invalid UTF-8.`
`1181`		`- if b != HEADER_CHARS[b as usize] {`
	`1181`	`+ if HEADER_CHARS_H2[b as usize] == 0 {`
`1182`	`1182`	`return Err(InvalidHeaderName::new());`
`1183`	`1183`	`}`
`1184`	`1184`	`}`
`@@ -1904,4 +1904,16 @@ mod tests {`
`1904`	`1904`	`fn test_all_tokens() {`
`1905`	`1905`	HeaderName::from_static("!#$%&'*+-.^_`\|~0123456789abcdefghijklmnopqrstuvwxyz");
`1906`	`1906`	`}`
	`1907`	`+`
	`1908`	`+ #[test]`
	`1909`	`+ fn test_from_lowercase() {`
	`1910`	`+ HeaderName::from_lowercase(&[0; 10]).unwrap_err();`
	`1911`	`+ HeaderName::from_lowercase(&[b'A'; 10]).unwrap_err();`
	`1912`	`+ HeaderName::from_lowercase(&[0x1; 10]).unwrap_err();`
	`1913`	`+ HeaderName::from_lowercase(&[0xFF; 10]).unwrap_err();`
	`1914`	`+ //HeaderName::from_lowercase(&[0; 100]).unwrap_err();`
	`1915`	`+ HeaderName::from_lowercase(&[b'A'; 100]).unwrap_err();`
	`1916`	`+ HeaderName::from_lowercase(&[0x1; 100]).unwrap_err();`
	`1917`	`+ HeaderName::from_lowercase(&[0xFF; 100]).unwrap_err();`
	`1918`	`+ }`
`1907`	`1919`	`}`