http2, internal/httpcommon: reject userinfo in :authority · golang/net@43c2540 (original) (raw)

`@@ -1032,6 +1032,26 @@ func TestServer_Request_Reject_Pseudo_Unknown(t *testing.T) {

`

1032

1032

` })

`

1033

1033

`}

`

1034

1034

``

``

1035

`+

func TestServer_Request_Reject_Authority_Userinfo(t *testing.T) {

`

``

1036

`+

// "':authority' MUST NOT include the deprecated userinfo subcomponent

`

``

1037

`+

// for "http" or "https" schemed URIs."

`

``

1038

`+

// https://www.rfc-editor.org/rfc/rfc9113.html#section-8.3.1-2.3.8

`

``

1039

`+

testRejectRequest(t, func(st *serverTester) {

`

``

1040

`+

var buf bytes.Buffer

`

``

1041

`+

enc := hpack.NewEncoder(&buf)

`

``

1042

`+

enc.WriteField(hpack.HeaderField{Name: ":authority", Value: "userinfo@example.tld"})

`

``

1043

`+

enc.WriteField(hpack.HeaderField{Name: ":method", Value: "GET"})

`

``

1044

`+

enc.WriteField(hpack.HeaderField{Name: ":path", Value: "/"})

`

``

1045

`+

enc.WriteField(hpack.HeaderField{Name: ":scheme", Value: "https"})

`

``

1046

`+

st.writeHeaders(HeadersFrameParam{

`

``

1047

`+

StreamID: 1, // clients send odd numbers

`

``

1048

`+

BlockFragment: buf.Bytes(),

`

``

1049

`+

EndStream: true,

`

``

1050

`+

EndHeaders: true,

`

``

1051

`+

})

`

``

1052

`+

})

`

``

1053

`+

}

`

``

1054

+

1035

1055

`func testRejectRequest(t *testing.T, send func(*serverTester)) {

`

1036

1056

`st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {

`

1037

1057

`t.Error("server request made it to handler; should've been rejected")

`