Validate all TE header instances for HTTP/2 request conformance. by arturobernalg · Pull Request #620 · apache/httpcomponents-core

arturobernalg · 2026-02-16T10:59:00Z

Reject any TE value other than trailers (including additional TE headers).

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestConformance.java

ok2c · 2026-02-17T13:10:48Z

@arturobernalg I would rewrite it as

    @Override
    public void process(final HttpRequest request, final EntityDetails entity, final HttpContext localContext)
            throws HttpException, IOException {
        Args.notNull(request, "HTTP request");
        for (int i = 0; i < illegalHeaderNames.length; i++) {
            final String headerName = illegalHeaderNames[i];
            if (request.containsHeader(headerName)) {
                if (HttpHeaders.TE.equalsIgnoreCase(headerName)) {
                    validateTE(request);
                } else {
                    throw new ProtocolException("Header '%s' is illegal for HTTP/2 messages", headerName);
                }
            }
        }
    }

    private static void validateTE(final HttpRequest request) throws ProtocolException {
        boolean sawAnyToken = false;
        boolean sawInvalidToken = false;
        for (final Iterator<String> it = MessageSupport.iterateTokens(request, HttpHeaders.TE); it.hasNext(); ) {
            final String token = it.next();
            sawAnyToken = true;
            if (!"trailers".equalsIgnoreCase(token)) {
                sawInvalidToken = true;
                break;
            }
        }
        if (sawInvalidToken || !sawAnyToken) {
            throw new ProtocolException("Header '%s' is illegal for HTTP/2 messages", HttpHeaders.TE);
        }
    }

Reject any TE value other than trailers (including additional TE headers).

arturobernalg · 2026-02-17T14:21:18Z

@arturobernalg I would rewrite it as

    @Override
    public void process(final HttpRequest request, final EntityDetails entity, final HttpContext localContext)
            throws HttpException, IOException {
        Args.notNull(request, "HTTP request");
        for (int i = 0; i < illegalHeaderNames.length; i++) {
            final String headerName = illegalHeaderNames[i];
            if (request.containsHeader(headerName)) {
                if (HttpHeaders.TE.equalsIgnoreCase(headerName)) {
                    validateTE(request);
                } else {
                    throw new ProtocolException("Header '%s' is illegal for HTTP/2 messages", headerName);
                }
            }
        }
    }

    private static void validateTE(final HttpRequest request) throws ProtocolException {
        boolean sawAnyToken = false;
        boolean sawInvalidToken = false;
        for (final Iterator<String> it = MessageSupport.iterateTokens(request, HttpHeaders.TE); it.hasNext(); ) {
            final String token = it.next();
            sawAnyToken = true;
            if (!"trailers".equalsIgnoreCase(token)) {
                sawInvalidToken = true;
                break;
            }
        }
        if (sawInvalidToken || !sawAnyToken) {
            throw new ProtocolException("Header '%s' is illegal for HTTP/2 messages", HttpHeaders.TE);
        }
    }

@ok2c All right. I made the change

arturobernalg requested a review from ok2c February 16, 2026 10:59

ok2c requested changes Feb 16, 2026

View reviewed changes

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestConformance.java Outdated Show resolved Hide resolved

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestConformance.java Outdated Show resolved Hide resolved

arturobernalg force-pushed the te branch 2 times, most recently from 1699f8f to 1342a90 Compare February 16, 2026 13:51

arturobernalg requested a review from ok2c February 16, 2026 13:52

ok2c requested changes Feb 16, 2026

View reviewed changes

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestConformance.java Outdated Show resolved Hide resolved

httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestConformance.java Outdated Show resolved Hide resolved

arturobernalg force-pushed the te branch from 29c06ab to b1554dd Compare February 16, 2026 17:58

arturobernalg requested a review from ok2c February 16, 2026 17:59

Validate all TE header instances for HTTP/2 request conformance.

fee0022

Reject any TE value other than trailers (including additional TE headers).

arturobernalg force-pushed the te branch from faacded to fee0022 Compare February 17, 2026 14:19

ok2c approved these changes Feb 17, 2026

View reviewed changes

arturobernalg merged commit cd18a1c into apache:master Feb 18, 2026
10 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate all TE header instances for HTTP/2 request conformance.#620

Validate all TE header instances for HTTP/2 request conformance.#620
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:te

arturobernalg commented Feb 16, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ok2c commented Feb 17, 2026

Uh oh!

arturobernalg commented Feb 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

arturobernalg commented Feb 16, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

ok2c commented Feb 17, 2026

Uh oh!

arturobernalg commented Feb 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments