According to the HTTP2 spec - Connection-Specific Header Fields, HTTP2 request
- must not contain "connection" header
- may contain 'te' header but only with 'trailers' value
HTTP/2 does not use the Connection header field to indicate
connection-specific header fields; in this protocol, connection-
specific metadata is conveyed by other means. An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).The only exception to this is the TE header field, which MAY be
present in an HTTP/2 request; when it is, it MUST NOT contain any
value other than "trailers".
Currently there is no such check in Undertow processing request. Thus such requests are processed successfully instead of being rejected as malformed.
- is blocked by
-
JBEAP-5765 Upgrade Undertow from 1.4.0.Final to 1.4.3.Final
-
- Verified
-
- is cloned by
-
UNDERTOW-822 HTTP2 connection-specific headers check in request
-
- Resolved
-
- is incorporated by
-
-
- Verified
-