From fe7c356be67335d92d41decd13468b862a562337 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 20:15:34 +0100
Subject: [PATCH] BUG/MEDIUM: h2: remove connection-specific headers from
 request

h2spec rightfully outlines that we used not to reject these ones, and
they may cause trouble if presented, especially "upgrade".

Must be backported to 1.8.
---
 src/h2.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/h2.c b/src/h2.c
index 83ef04363..64f27fe20 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -179,6 +179,14 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
 		if (isteq(list[idx].n, ist("host")))
 			fields |= H2_PHDR_FND_HOST;
 
+		/* these ones are forbidden in requests (RFC7540#8.1.2.2) */
+		if (isteq(list[idx].n, ist("connection")) ||
+		    isteq(list[idx].n, ist("proxy-connection")) ||
+		    isteq(list[idx].n, ist("keep-alive")) ||
+		    isteq(list[idx].n, ist("upgrade")) ||
+		    isteq(list[idx].n, ist("transfer-encoding")))
+			goto fail;
+
 		if (isteq(list[idx].n, ist("te")) && !isteq(list[idx].v, ist("trailers")))
 			goto fail;