Google Git
Sign in
quiche/quiche.git/c8065de505cc8f325c40d11568f39f627ab6b89b^!/.
commit
c8065de505cc8f325c40d11568f39f627ab6b89b
[log]
author
reubent <reubent@google.com>
Wed May 27 13:17:01 2026 -0700
committer
Copybara-Service <copybara-worker@google.com>
Wed May 27 13:17:26 2026 -0700
tree
1d22d9046a025bdb41a628667c98e0997b3f7ff6
parent
286ab8494138c8b78c19d13d0b1f15c9f28a01e3 [diff]
No public description

PiperOrigin-RevId: 922307935

diff --git a/quiche/balsa/balsa_frame.cc b/quiche/balsa/balsa_frame.cc
index 923f2c0..8113cc1 100644
--- a/quiche/balsa/balsa_frame.cc
+++ b/quiche/balsa/balsa_frame.cc

@@ -430,8 +430,12 @@
     return;
   }
 
+  bool has_non_digit =
+      part2.find_first_not_of("0123456789") != absl::string_view::npos;
+  bool has_leading_zero = part2.length() > 1 && part2[0] == '0';
   if (headers_->parsed_response_code_ < 100 ||
-      headers_->parsed_response_code_ > 599) {
+      headers_->parsed_response_code_ > 599 || has_non_digit ||
+      has_leading_zero) {
     if (http_validation_policy().disallow_invalid_response_codes) {
       parse_state_ = BalsaFrameEnums::ERROR;
       last_error_ = BalsaFrameEnums::INVALID_STATUS_CODE;

diff --git a/quiche/balsa/balsa_frame_test.cc b/quiche/balsa/balsa_frame_test.cc
index d06a067..1f5999d 100644
--- a/quiche/balsa/balsa_frame_test.cc
+++ b/quiche/balsa/balsa_frame_test.cc

@@ -952,6 +952,9 @@
       {"600", BalsaFrameEnums::INVALID_STATUS_CODE},
       {"1000", BalsaFrameEnums::INVALID_STATUS_CODE},
       {"65740", BalsaFrameEnums::INVALID_STATUS_CODE},
+      {"0200", BalsaFrameEnums::INVALID_STATUS_CODE},
+      {"+200", BalsaFrameEnums::INVALID_STATUS_CODE},
+      {"200A", BalsaFrameEnums::FAILED_CONVERTING_STATUS_CODE_TO_INT},
       {"99999999999999999999999",
        BalsaFrameEnums::FAILED_CONVERTING_STATUS_CODE_TO_INT}};
   HttpValidationPolicy policy;

diff --git a/quiche/balsa/http_validation_policy.h b/quiche/balsa/http_validation_policy.h
index 87baab4..27e2852 100644
--- a/quiche/balsa/http_validation_policy.h
+++ b/quiche/balsa/http_validation_policy.h

@@ -125,7 +125,9 @@
   bool require_semicolon_delimited_chunk_extension = false;
 
   // Status codes outside the range [100, 599] are invalid, per RFC 9110,
-  // Section 15 https://www.rfc-editor.org/rfc/rfc9110#section-15
+  // Section 15 https://www.rfc-editor.org/rfc/rfc9110#section-15. Additionally,
+  // status codes must begin with a digit within the range [1 - 5] and not
+  // contain any non-digit characters.
   bool disallow_invalid_response_codes = false;
 };