You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nicolas Grekas correctly pointed out on the mailing list that libcurl doesn't verify the :athority header correct in the push headers, as described in RFC 7540:
The server MUST include a value in the :authority pseudo-header field for which the server is authoritative (see Section 10.1). A client MUST treat a PUSH_PROMISE for which the server is not authoritative as a stream error (Section 5.4.2) of type PROTOCOL_ERROR.
Right now, libcurl leaves that check for the application without it being documented or explained.
I expected the following
libcurl needs to check the header and reject pushes for non-validated authorities.
curl/libcurl version
curl master
operating system
All
The text was updated successfully, but these errors were encountered:
RFC 7540 says we should verify that the push is for an "authoritative"
server. We make sure of this by only allowing push with an :athority
header that matches the host that was asked for in the URL.
Fixes#3577
Reported-by: Nicolas Grekas
Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
I did this
Nicolas Grekas correctly pointed out on the mailing list that libcurl doesn't verify the
:athority
header correct in the push headers, as described in RFC 7540:Right now, libcurl leaves that check for the application without it being documented or explained.
I expected the following
libcurl needs to check the header and reject pushes for non-validated authorities.
curl/libcurl version
curl master
operating system
All
The text was updated successfully, but these errors were encountered: