From 520886990fbc4d40bd7dd8d788d4e79326fc64c5 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 20:13:54 +0100
Subject: [PATCH] BUG/MINOR: h2: reject response pseudo-headers from requests

At the moment there's only ":status". Let's block it early when parsing
the request. Otherwise it would be blocked by the HTTP/1 code anyway.
This silences another h2spec issue.

To backport to 1.8.
---
 src/h2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/h2.c b/src/h2.c
index 41565c04b..83ef04363 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -212,6 +212,10 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
 		*(out++) = '\n';
 	}
 
+	/* RFC7540#8.1.2.1 mandates to reject response pseudo-headers (:status) */
+	if (fields & H2_PHDR_FND_STAT)
+		goto fail;
+
 	/* Let's dump the request now if not yet emitted. */
 	if (!(fields & H2_PHDR_FND_NONE)) {
 		ret = h2_prepare_h1_reqline(fields, phdr_val, &out, out_end);