3f5fbe9407
From time to time, users complain to get 400-Bad-request responses for totally valid CONNECT requests. After analysis, it is due to the H1 parser performs an exact match between the authority and the host header value. For non-CONNECT requests, it is valid. But for CONNECT requests the authority must contain a port while it is often omitted from the host header value (for default ports). So, to be sure to not reject valid CONNECT requests, a basic authority validation is now performed during the message parsing. In addition, the host header value is normalized. It means the default port is removed if possible. This patch should solve the issue #1761. It must be backported to 2.6 and probably as far as 2.4. |
||
|---|---|---|
| .. | ||
| common.pem | ||
| h1_host_normalization.vtc | ||
| h1_to_h1.vtc | ||
| h2_desync_attacks.vtc | ||
| h2_to_h1.vtc | ||
| http_abortonclose.vtc | ||
| http_bodyless_response.vtc | ||
| http_msg_full_on_eom.vtc | ||
| http_request_buffer.vtc | ||
| http_splicing.vtc | ||
| http_transfer_encoding.vtc | ||
| http_wait_for_body.vtc | ||
| protocol_upgrade.vtc | ||
| scheme_based_normalize.vtc | ||
| srv_ws.vtc | ||
| websocket.vtc | ||