Google Git
Sign in
quiche/quiche.git/4249f8025caed1e3d71d04d9cadf42251acb7cac^!/.
commit
4249f8025caed1e3d71d04d9cadf42251acb7cac
[log]
author
birenroy <birenroy@google.com>
Wed Sep 18 11:05:25 2024 -0700
committer
Copybara-Service <copybara-worker@google.com>
Wed Sep 18 11:06:31 2024 -0700
tree
f606c74fabc52fc4b842f8ed78813e6181b3a885
parent
6b570491edbcb7356443b5ce58c5db9d4fc78d74 [diff]
Adds `^` and `|` to the set of allowed characters in HTTP/2 request paths.

Despite the guidance in RFC 3986, these characters are well represented in HTTP requests from the public internet.

Protected by FLAGS_gfe2_reloadable_flag_http2_reject_invalid_paths_non_cloud_3.

PiperOrigin-RevId: 676056873

diff --git a/quiche/balsa/header_properties.h b/quiche/balsa/header_properties.h
index 4dd00e3..9b3d4de 100644
--- a/quiche/balsa/header_properties.h
+++ b/quiche/balsa/header_properties.h

@@ -51,10 +51,10 @@
 // The set of characters allowed in the Path and Query components of a URI, as
 // described in RFC 3986 Sections 3.3 and 3.4. Also includes the following
 // characters, which are not actually valid, but are seen in request paths on
-// the internet and unlikely to cause problems: []{}
+// the internet and unlikely to cause problems: []{}|^
 inline constexpr char kValidPathCharList[] =
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~%!$&'()*"
-    "+,;=:@/?[]{}";
+    "+,;=:@/?[]{}|^";
 
 // Returns true if the given `c` is invalid in a header field name. The first
 // version is spec compliant, the second one incorrectly allows '"'.

diff --git a/quiche/balsa/header_properties_test.cc b/quiche/balsa/header_properties_test.cc
index 41083d3..4437d74 100644
--- a/quiche/balsa/header_properties_test.cc
+++ b/quiche/balsa/header_properties_test.cc

@@ -106,9 +106,10 @@
   EXPECT_FALSE(HasInvalidPathChar("invalid_path/but/valid/chars"));
   EXPECT_FALSE(HasInvalidPathChar("/path/with?query;fragment"));
   EXPECT_FALSE(HasInvalidPathChar("/path2.fun/my_site-root/!&$=,+*()/wow"));
-  // Surprise! [] and {} are seen in requests on the internet.
+  // Surprise! []{}^| are seen in requests on the internet.
   EXPECT_FALSE(HasInvalidPathChar("/square[brackets]surprisingly/allowed"));
   EXPECT_FALSE(HasInvalidPathChar("/curly{braces}surprisingly/allowed"));
+  EXPECT_FALSE(HasInvalidPathChar("/caret^pipe|surprisingly/allowed"));
 
   EXPECT_TRUE(HasInvalidPathChar("/path with spaces"));
   EXPECT_TRUE(HasInvalidPathChar("/path\rwith\tother\nwhitespace"));