aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLoïc Hoguin <[email protected]>2019-10-01 21:09:24 +0200
committerLoïc Hoguin <[email protected]>2019-10-01 21:09:24 +0200
commit7f0978df6dad631316c29ba0dbbd33df9cfb77b4 (patch)
treef053c2529b726332dd003962c8c1ef7e4aaf1b90
parent1d2904588c142800f572b02f1e9d6ac5a65caa51 (diff)
downloadcowlib-7f0978df6dad631316c29ba0dbbd33df9cfb77b4.tar.gz
cowlib-7f0978df6dad631316c29ba0dbbd33df9cfb77b4.tar.bz2
cowlib-7f0978df6dad631316c29ba0dbbd33df9cfb77b4.zip
Reject empty HTTP/2 header names
-rw-r--r--src/cow_http2_machine.erl2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cow_http2_machine.erl b/src/cow_http2_machine.erl
index 41605ef..0779ffc 100644
--- a/src/cow_http2_machine.erl
+++ b/src/cow_http2_machine.erl
@@ -659,6 +659,8 @@ headers_regular_headers(Frame=#headers{id=StreamID},
stream_reset(StreamID, State, protocol_error, HumanReadable)
end.
+regular_headers([{<<>>, _}|_], _) ->
+ {error, 'Empty header names are not valid regular headers. (CVE-2019-9516)'};
regular_headers([{<<":", _/bits>>, _}|_], _) ->
{error, 'Pseudo-headers were found after regular headers. (RFC7540 8.1.2.1)'};
regular_headers([{<<"connection">>, _}|_], _) ->