BUG/MINOR: h3: don't insert more than one Host header

Let's make sure we drop extraneous Host headers after having compared them. That also works when :authority was already present. This way, like for h1 and h2, we only keep one copy of it, while still making sure that Host matches :authority. This way, if a request has both :authority and Host, only one Host header will be produced (from :authority). Note that due to the different organization of the code and wording along the evolving RFCs, here we also check that all duplicates are identical, while h2 ignores them as per RFC7540, but this will be re-unified later. This should be backported to stable versions, at least 2.8, though thanks to the existing checks the impact is probably nul.
2025-11-28 14:21:00 +01:00 · 2025-05-16 14:51:13 +02:00 · 2025-05-16 14:51:13 +02:00 · b84762b3e0
commit b84762b3e0
parent f45a632bad
1 changed files with 8 additions and 0 deletions
--- a/src/h3.c
+++ b/src/h3.c
@ -861,12 +861,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 		}

 		if (isteq(list[hdr_idx].n, ist("host"))) {
+			struct ist prev_auth = authority;
+
 			if (h3_set_authority(qcs, &authority, list[hdr_idx].v)) {
 				h3s->err = H3_ERR_MESSAGE_ERROR;
 				qcc_report_glitch(h3c->qcc, 1);
 				len = -1;
 				goto out;
 			}
+
+			if (isttest(prev_auth)) {
+				/* skip duplicate Host header */
+				++hdr_idx;
+				continue;
+			}
 		}
 		else if (isteq(list[hdr_idx].n, ist("cookie"))) {
 			http_cookie_register(list, hdr_idx, &cookie, &last_cookie);