I saw Issue 21 about header validation, and I want to suggest additional validations. Otherwise, request smuggling vulnerabilities can arise.
The suggestions are all based on the HTTP/3 RFC specification, which refers to the HTTP/2 RFC specification (See RFC 9113 - Field Validity)
Content-Length should be validated against the actual size of the body
Transfer-Encoding headers can only be accepted if the value is "trailers"
Other than rejecting uppercase letters (this is already validated), field names must not contain characters in the ranges 0x00-0x20, 0x41-0x5a, or 0x7f-0xff
Except for pseudo-headers, headers must not contain single colons (:)
Header values must not contain null bytes, \n (newlines) and \r (carriage returns)
Header values must not contain \t (tabs) or spaces at the start or end
rthalley
commented
8 months ago
I saw Issue 21 about header validation, and I want to suggest additional validations. Otherwise, request smuggling vulnerabilities can arise. The suggestions are all based on the HTTP/3 RFC specification, which refers to the HTTP/2 RFC specification (See RFC 9113 - Field Validity)