HTTP/2 Check header names in HeaderCoalescer

net/spdy/header_coalescer.cc

Index: net/spdy/header_coalescer.cc
diff --git a/net/spdy/header_coalescer.cc b/net/spdy/header_coalescer.cc
index 497c07991983a5423c77a16b6e4178d74736521d..1419d77d8d8627c487d5741136aee3813b7aca8e 100644
--- a/net/spdy/header_coalescer.cc
+++ b/net/spdy/header_coalescer.cc
@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "base/strings/string_util.h"
+#include "net/http/http_util.h"
 #include "net/spdy/platform/api/spdy_estimate_memory_usage.h"
 
 namespace net {
@@ -24,22 +25,29 @@ void HeaderCoalescer::OnHeader(base::StringPiece key, base::StringPiece value) {
     return;
   }
 
-  // 32 byte overhead according to RFC 7540 Section 6.5.2.
-  header_list_size_ += key.size() + value.size() + 32;
-  if (header_list_size_ > kMaxHeaderListSize) {
-    error_seen_ = true;
-    return;
-  }
-
+  base::StringPiece key_name = key;
   if (key[0] == ':') {
     if (regular_header_seen_) {
       error_seen_ = true;
       return;
     }
+    key_name.remove_prefix(1);
   } else {
     regular_header_seen_ = true;
   }
 
+  if (!HttpUtil::IsValidHeaderName(key_name)) {
+    error_seen_ = true;
+    return;
+  }
+
+  // 32 byte overhead according to RFC 7540 Section 6.5.2.
+  header_list_size_ += key.size() + value.size() + 32;
+  if (header_list_size_ > kMaxHeaderListSize) {
+    error_seen_ = true;
+    return;
+  }
+
   // End of line delimiter is forbidden according to RFC 7230 Section 3.2.
   // Line folding, RFC 7230 Section 3.2.4., is a special case of this.
   if (value.find("\r\n") != base::StringPiece::npos) {

[asanka, 2017/02/23 17:45:13]

HttpUtil::IsValidHeaderValue(value)

According to RFC 7230 § 3.2 only allows VCHAR / obs-text / SP, and HTAB in the
field value. IsValidHeaderValue() just checks that the value doesn't contain LF,
CR, or NUL.

[xunjieli, 2017/02/23 23:07:37]

Done.