dweepvira opened a new pull request, #12881:
URL: https://github.com/apache/trafficserver/pull/12881
# Disallow `@` in HTTP/1 header field-names per RFC 9110
## Summary
Disallow the `@` character in HTTP/1 header field-names to ensure compliance
with RFC 9110.
## Background
RFC 9110 defines:
```
field-name = token
```
Where `token` consists only of `tchar` characters:
```
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
```
The `@` character is **not** included in the `tchar` set and therefore is
not valid in HTTP header field-names.
The current implementation of `ParseRules::is_http_field_name()` explicitly
allows `@` as an exception:
```cpp
(is_mime_sep(c) && c != '@')
```
This results in HTTP/1 requests such as:
```
To@st: value
```
being accepted instead of rejected.
## Change
Remove the special-case allowance for `@` in
`ParseRules::is_http_field_name()`.
Before:
```cpp
(is_mime_sep(c) && c != '@')
```
After:
```cpp
is_mime_sep(c)
```
This ensures that `@` is rejected as part of HTTP/1 header field-names.
## Result
Requests containing header names with `@` now correctly return:
```
400 Invalid HTTP Request
```
instead of being processed normally.
## Scope
* Minimal change
* No structural modifications
* No parser architecture changes
* Strict RFC 9110 compliance enforcement
## Impact
Improves HTTP/1 standards compliance by rejecting syntactically invalid
header field-names.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
