Re: [PR] fix: return HTTP 400 for malformed HTTP/2 request headers instead of silent stream reset [pekko-http]

Sun, 08 Mar 2026 01:19:15 -0800 


He-Pin commented on code in PR #981:
URL: https://github.com/apache/pekko-http/pull/981#discussion_r2901586150


##########
http-core/src/main/scala/org/apache/pekko/http/impl/engine/http2/hpack/Http2HeaderParsing.scala:
##########
@@ -41,7 +41,9 @@ private[pekko] object Http2HeaderParsing {
   }
   object PathAndQuery extends HeaderParser[(Uri.Path, 
Option[String])](":path") {
     override def parse(name: String, value: String, parserSettings: 
ParserSettings): (Uri.Path, Option[String]) =
-      try {
+      if (value.isEmpty) {
+        protocolError("Pseudo-header ':path' must not be empty")

Review Comment:
   The ":path" pseudo-header field includes the path and query parts
         of the target URI (the "path-absolute" production and optionally a
         '?' character followed by the "query" production (see Sections 
[3.3](https://datatracker.ietf.org/doc/html/rfc7540#section-3.3)
         and 3.4 of 
[[RFC3986](https://datatracker.ietf.org/doc/html/rfc3986)]).  A request in 
asterisk form includes the
         value '*' for the ":path" pseudo-header field.
   
         This pseudo-header field MUST NOT be empty for "http" or "https"
         URIs; "http" or "https" URIs that do not contain a path component
         MUST include a value of '/'.  The exception to this rule is an
         OPTIONS request for an "http" or "https" URI that does not include
         a path component; these MUST include a ":path" pseudo-header field
         with a value of '*' (see [[RFC7230], Section 
5.3.4](https://datatracker.ietf.org/doc/html/rfc7230#section-5.3.4)).
   
   
   
   
   
   
   
   
   
   
   Belshe, et al.               Standards Track                   [Page 55]
   
   [RFC 7540](https://datatracker.ietf.org/doc/html/rfc7540)                    
     HTTP/2                         May 2015
   
   
      All HTTP/2 requests MUST include exactly one valid value for the
      ":method", ":scheme", and ":path" pseudo-header fields, unless it is
      a CONNECT request ([Section 
8.3](https://datatracker.ietf.org/doc/html/rfc7540#section-8.3)).  An HTTP 
request that omits
      mandatory pseudo-header fields is malformed ([Section 
8.1.2.6](https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.6)).
   
      HTTP/2 does not define a way to carry the version identifier that is
      included in the HTTP/1.1 request line.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to