http2, internal/httpcommon: reject userinfo in :authority

RFC 9113, section 8.3.1: The :authority (host) in an HTTP request must not include a userinfo (e.g., user@host). Change-Id: I459a3da40b825c9662467778f582050c7358f8bb Reviewed-on: https://go-review.googlesource.com/c/net/+/652456 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> Auto-Submit: Damien Neil <dneil@google.com>
golang · Feb 26, 2025 · 43c2540 · 43c2540
1 parent 1d78a08
commit 43c2540
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/http2/server_test.go b/http2/server_test.go
@@ -1032,6 +1032,26 @@ func TestServer_Request_Reject_Pseudo_Unknown(t *testing.T) {
 	})
 }
 
+func TestServer_Request_Reject_Authority_Userinfo(t *testing.T) {
+	// "':authority' MUST NOT include the deprecated userinfo subcomponent
+	// for "http" or "https" schemed URIs."
+	// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8
+	testRejectRequest(t, func(st *serverTester) {
+		var buf bytes.Buffer
+		enc := hpack.NewEncoder(&buf)
+		enc.WriteField(hpack.HeaderField{Name: ":authority", Value: "userinfo@example.tld"})
+		enc.WriteField(hpack.HeaderField{Name: ":method", Value: "GET"})
+		enc.WriteField(hpack.HeaderField{Name: ":path", Value: "/"})
+		enc.WriteField(hpack.HeaderField{Name: ":scheme", Value: "https"})
+		st.writeHeaders(HeadersFrameParam{
+			StreamID:      1, // clients send odd numbers
+			BlockFragment: buf.Bytes(),
+			EndStream:     true,
+			EndHeaders:    true,
+		})
+	})
+}
+
 func testRejectRequest(t *testing.T, send func(*serverTester)) {
 	st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {
 		t.Error("server request made it to handler; should've been rejected")

diff --git a/internal/httpcommon/request.go b/internal/httpcommon/request.go
@@ -432,6 +432,16 @@ func NewServerRequest(rp ServerRequestParam) ServerRequestResult {
 		}
 	}
 	delete(rp.Header, "Trailer")
+
+	// "':authority' MUST NOT include the deprecated userinfo subcomponent
+	// for "http" or "https" schemed URIs."
+	// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8
+	if strings.IndexByte(rp.Authority, '@') != -1 && (rp.Scheme == "http" || rp.Scheme == "https") {
+		return ServerRequestResult{
+			InvalidReason: "userinfo_in_authority",
+		}
+	}
+
 	var url_ *url.URL
 	var requestURI string
 	if rp.Method == "CONNECT" && rp.Protocol == "" {