summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorChristoph M. Becker <cmbecker69@gmx.de>2019-09-16 15:32:58 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-16 23:36:22 +0200
commit7c596f5dea586c1ba99dfbe7f3ce1996d82f7de0 (patch)
treebb1d475039a815749d15658658e6448aced2682c /lib
parent9bc44ff64d90812251a1f91020d753f125cd6ab4 (diff)
downloadcurl-7c596f5dea586c1ba99dfbe7f3ce1996d82f7de0.tar.gz
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port, we assume it is valid for the default port, instead of rejecting the request for all ports. Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html Closes #4365
Diffstat (limited to 'lib')
-rw-r--r--lib/http2.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/http2.c b/lib/http2.c
index 31d2d698a..47583265d 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -967,7 +967,9 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
if(!check)
/* no memory */
return NGHTTP2_ERR_CALLBACK_FAILURE;
- if(!Curl_strcasecompare(check, (const char *)value)) {
+ if(!Curl_strcasecompare(check, (const char *)value) &&
+ ((conn->remote_port != conn->given->defport) ||
+ !Curl_strcasecompare(conn->host.name, (const char *)value))) {
/* This is push is not for the same authority that was asked for in
* the URL. RFC 7540 section 8.2 says: "A client MUST treat a
* PUSH_PROMISE for which the server is not authoritative as a stream