aboutsummaryrefslogtreecommitdiffstats
path: root/test/rfc7540_SUITE.erl
AgeCommit message (Collapse)Author
2019-10-03Add HTTP/2 tests with responses with HTTP/1.1 specific headersLoïc Hoguin
2019-10-02Fix HTTP/2 CVEsLoïc Hoguin
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
2019-09-05Fix and optimize sending of WINDOW_UPDATE framesLoïc Hoguin
For long-running connections it was possible for the connection window to become larger than allowed by the protocol because the window increases claimed by stream handlers were never reclaimed even if no data was consumed. The new code applies heuristics to fix this and reduce the number of WINDOW_UPDATE frames that are sent. It includes six new options to control that behavior: margin, max and threshold for both the connection and stream windows. The margin is some extra space added on top of the requested read size. The max is the maximum window size at any given time. The threshold is a minimum window size that must be reached before we even consider sending more WINDOW_UPDATE frames. We also avoid sending WINDOW_UPDATE frames when there is already enough space in the window, or when the read size is 0. Cowlib is set to master until a new tag is done.
2019-07-26Add a zero-length DATA frame in the lingering_data testTony Han
2019-07-16Data received after RST_STREAM counts toward windowTony Han
2019-04-01Fallback to host header if authority is missingFredrik Enestad
2018-11-19Use try..after in tests that start their own listenersLoïc Hoguin
2018-11-19Use ?FUNCTION_NAME instead of ct_helper:name()Loïc Hoguin
Cowboy is 19+ so it's OK to use it.
2018-05-22Fix intermittent test failures in rfc7540_SUITELoïc Hoguin
2018-05-22Ensure tests in rfc7540_SUITE can be repeatedLoïc Hoguin
2018-05-16Honor the SETTINGS_ENABLE_PUSH from clientsLoïc Hoguin
This fixes curl when fetching resources that use push.
2018-04-30Fix some intermittent test issues in rfc7540Loïc Hoguin
2018-04-30Fix some rfc7540 tests that had an empty :pathLoïc Hoguin
2018-04-30Reject HTTP/2 requests with a body size different than content-lengthLoïc Hoguin
2018-04-29Add tests for rejecting streams depending on themselvesLoïc Hoguin
2018-04-29Receive and ignore HTTP/2 request trailers if anyLoïc Hoguin
This is a first step toward properly supporting request trailers.
2018-04-28Add SETTINGS ack timeout and option settings_timeoutLoïc Hoguin
2018-04-28Fix intermittent test failures for rfc7540Loïc Hoguin
2018-04-27Fix an rfc7540 test to have a different error reasonLoïc Hoguin
2018-04-27Add options controlling maximum h2 frame sizesLoïc Hoguin
2018-04-26Add options controlling initial control flow windowsLoïc Hoguin
2018-04-25Add the max_concurrent_streams h2 optionLoïc Hoguin
2018-04-25Add options to control h2's SETTINGS_HEADER_TABLE_SIZELoïc Hoguin
2018-04-23HTTP/2 informational responses don't end the streamLoïc Hoguin
2018-02-28Fix crash in cowboy_http2 when content-length is invalidLoïc Hoguin
2017-11-29Fix a broken test case in the rfc7540 suiteLoïc Hoguin
2017-11-29Fix an intermittent test failure in the rfc7540 suiteLoïc Hoguin
2017-11-29Add nowarn_export_all to all test suitesLoïc Hoguin
2017-11-29Add many rfc7540 tests, improve detection of malformed requestsLoïc Hoguin
2017-11-27Add more flow control tests to rfc7540 and fix related issuesLoïc Hoguin
2017-11-27Add more rfc7540 tests along with their respective fixesLoïc Hoguin
2017-11-27Fix a few rfc7540 testsLoïc Hoguin
Cowboy takes a few shortcuts to avoid wasting resources when there is a protocol error. The RFC wants us to send a different error depending on the state of the stream at the time of the error, and for us to maintain the connection in cases where we would have to spend valuable resources to decode headers. In all these cases Cowboy will simply close the connection with an appropriate error.
2017-10-23Fix a bug in HTTP/2 where connection gets closed prematurelyLoïc Hoguin
When the user code was sending a response fully without reading the request body, the connection could get closed when receiving DATA frames for that body. We now ask the client to stop sending data via a NO_ERROR RST_STREAM, and linger any stream that has been reset so that we can skip any pending frames from that stream. This fixes a number of intermittent failures in req_SUITE, which now passes reliably. In addition a small number of rfc7540_SUITE test cases have been corrected as they were incorrect.
2017-05-23Add many tests for RFC7540 5.1 and 5.1.1 and related fixesLoïc Hoguin
2017-03-02Add more HTTP/2 tests for RFC7540 4.1 and 4.3Loïc Hoguin
2017-02-26Unknown HTTP/2 frames are ignoredLoïc Hoguin
2017-02-25Add many test cases covering RFC7540 4.2Loïc Hoguin
These tests cover frame sizes. It's mostly edge cases for sure (ie misbehaving clients and us having to reject them properly). I had these almost ready for a long time, so I'm glad I can push them out. This requires updating Cowlib too (we currently track master).
2017-01-02Welcome to 2017Loïc Hoguin
2016-03-14Clarify comments about remaining tests to add to rfc7540_SUITELoïc Hoguin
2016-03-13Fix most remaining HTTP/2 handshake testsLoïc Hoguin
One category of tests involving the SETTINGS ack still fails. It is probably wise to leave these until more SETTINGS related tests are written.
2016-03-13Fix more HTTP/2 handshake test casesLoïc Hoguin
2016-03-12Add initial HTTP/1.1 Upgrade to HTTP/2Loïc Hoguin
The same edge cases that fail with other handshake methods also fail here (mostly bad preface/timeouts stuff). In addition, the HTTP2-Settings header contents are currently not checked and so the related edge case tests also fail.
2016-03-10Add the beginning of the rfc7540 test suiteLoïc Hoguin
Currently only testing handshake. Tests that pass currently involve no request/response. ALPN and prior knowledge support have some edge cases left to fix. HTTP/1.1 Upgrade has not been implemented yet.