Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP/2 requests can be sent with incorrect :scheme pseudo-header #2708

Merged
merged 5 commits into from
Sep 22, 2023
Merged

HTTP/2 requests can be sent with incorrect :scheme pseudo-header #2708

merged 5 commits into from
Sep 22, 2023

Conversation

idelpivnitskiy
Copy link
Member

@idelpivnitskiy idelpivnitskiy commented Sep 21, 2023
edited
Loading

Motivation:

#2672 changed the way we infer waitForSslHandshake flag. In case of ALPN, the handshake is already complete and the flag is evaluated as false. However, H2ToStH1ClientDuplexHandler used the same flag for setting :scheme pseudo-header. As a result, client could send requests with :scheme: http instead of https.

Modifications:

  • Use parentContext.sslConfig() to infer the correct scheme for H2ToStH1ClientDuplexHandler;
  • Add H2SchemeTest to validate the remote server received correct :scheme in all cases;

Result:

HTTP/2 client sends correct :scheme.

@idelpivnitskiy
HTTP/2 requests can be sent with incorrect :scheme pseudo-header
4d418d8 
Motivation:

apple#2672 changed the way we infer `waitForSslHandshake` flag. In case of
ALPN, the handshake is already complete and the flag evaluated to
`false`. However, `H2ToStH1ClientDuplexHandler` used the same flag for
setting `:scheme` pseudo-header. As the result, client could send
requests with `:scheme: http` instead of `https`.

Modifications:

- Use `parentContext.sslConfig()`/`connection.sslConfig()` to infer the
correct scheme;
- Promote `scheme` to `AbstractH2DuplexHandler` to use it on the server
side for assertion (because `:scheme` is not propagated to users space,
there is no otherwise an easy way to write an integration test that will
evaluate received `:scheme`);

Result:

HTTP/2 client sends correct `:scheme`.
@idelpivnitskiy idelpivnitskiy self-assigned this Sep 21, 2023
@idelpivnitskiy idelpivnitskiy marked this pull request as draft September 21, 2023 23:10
@idelpivnitskiy idelpivnitskiy marked this pull request as ready for review September 21, 2023 23:44
@idelpivnitskiy idelpivnitskiy merged commit 248df1c into apple:main Sep 22, 2023
@idelpivnitskiy idelpivnitskiy deleted the h2-scheme branch September 22, 2023 05:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Scottmitch Scottmitch Scottmitch approved these changes

Assignees

@idelpivnitskiy idelpivnitskiy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@idelpivnitskiy @Scottmitch