git.kaiwu.me - haproxy.git/commit

author	Willy Tarreau <w@1wt.eu>
	Tue, 5 May 2026 11:33:05 +0000 (13:33 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 5 May 2026 12:10:36 +0000 (14:10 +0200)
commit	b52a0e67825248b4d7023ad2f2a82a4d7c9bd2ce
tree	c43b200ec98b869d9b1d4926f1467355f73fa8c0	tree \| snapshot
parent	96f7ff4fdd97d5ac999b465c20f1019cc1410dfd	commit \| diff

BUG/MINOR: h2: only accept :protocol with extended CONNECT

As reported by Huangbin Zhan in github issue #3355, we're too lax on
the :protocol pseudo header. It is currently accepted with regular
CONNECT as well as non-CONNECT methods while it only ought to be
accepted with extended CONNECT (i.e. CONNECT after the connection
negotiated the RFC8441 extension). Let's refine the check in H2 by
leveraging the new flag H2_MSGF_EXT_CONN_OK that is passed by the
caller when the connection supports the extension. This is sufficient
to sort the various cases.

The proto upgrade regtest was updated to verify that CONNECT with
:protocol without nego and another method with nego and :protocol
both fail.

Thanks to Huangbin Zhan (@zhanhb) for the report and helpful reproducer.

This needs to be backported to all versions. It relies on these patches
first:

  REGTESTS: http-messaging: always send RFC8441 client settings to use ext connect
  BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting
  MINOR: mux-h2: add a new message flag to indicate ext connect support

reg-tests/http-messaging/protocol_upgrade.vtc		diff \| blob \| history
src/h2.c		diff \| blob \| history