http2: replaces nghttp2 functions with equivalents from QUICHE. #24943
Conversation
Signed-off-by: Biren Roy <birenroy@google.com>
|
/assign @diannahu |
| @@ -190,17 +190,16 @@ bool HeaderUtility::schemeIsValid(const absl::string_view scheme) { | |||
| } | |||
|
|
|||
| bool HeaderUtility::headerValueIsValid(const absl::string_view header_value) { | |||
| return nghttp2_check_header_value(reinterpret_cast<const uint8_t*>(header_value.data()), | |||
| header_value.size()) != 0; | |||
| return http2::adapter::HeaderValidator::IsValidHeaderValue(header_value, | |||
There was a problem hiding this comment.
Hm, do we need a runtime guard for this? I would imagine it's possible that this is a behavior change in the event that QUICHE and nghttp2 do something different?
There was a problem hiding this comment.
What do you think about a runtime guard for this change?
There was a problem hiding this comment.
Let me see if I can write a unit test that demonstrates whether there is/is not a behavior change.
There was a problem hiding this comment.
With ObsTextOption::kAllow, the set of characters allowed by the oghttp2 method is exactly the same as the nghttp2 function.
There was a problem hiding this comment.
Hm. Can we write a unit test then where we loop through all the possible characters and verify we get the same output? I just want to make 100% sure that this change doesn't result in some crazy corner case behavior change which isn't protected by a runtime guard? Or alternatively, if it obvious from inspection can you point me at the two methods? (Sorry to be pedantic here!)
There was a problem hiding this comment.
Thanks for the offline discussion and the pointer to the test.
Done, thanks. |
|
/wait |
Signed-off-by: Biren Roy <birenroy@google.com>
|
/retest |
|
Retrying Azure Pipelines: |
|
@RyanTheOptimist I think this is ready for another look. I verified that the behavior is unchanged with the new method. |
|
/assign @zuercher |
|
@zuercher for cross-company review. |
Signed-off-by: Biren Roy <birenroy@google.com>
source/common/http/header_utility.cc
Outdated
| } | ||
|
|
||
| bool HeaderUtility::headerNameContainsUnderscore(const absl::string_view header_name) { | ||
| return header_name.find('_') != absl::string_view::npos; | ||
| } | ||
|
|
||
| bool HeaderUtility::authorityIsValid(const absl::string_view header_value) { | ||
| return nghttp2_check_authority(reinterpret_cast<const uint8_t*>(header_value.data()), | ||
| header_value.size()) != 0; | ||
| return http2::adapter::HeaderValidator::IsValidAuthority(header_value); |
There was a problem hiding this comment.
We've confirmed this is identical to nghttp as well?
There was a problem hiding this comment.
Looks like the QUICHE method rejects "@", which nghttp2 allows. I think this is slightly more adherent to RFC 3986 section 3.2.2.
There was a problem hiding this comment.
Because it's stricter, I think that means we should have a runtime guard for this behavior so that someone can revert it.
There was a problem hiding this comment.
Agreed. @birenroy can you add a guard for this?
|
/wait |
Signed-off-by: Biren Roy <birenroy@google.com>
Signed-off-by: Biren Roy <birenroy@google.com>
|
Please merge main and resolve the ci first, thanks. |
|
/wait |
Signed-off-by: Biren Roy <birenroy@google.com>
Signed-off-by: Biren Roy <birenroy@google.com>
|
cc @zuercher could you give a review again when you have free time? Thanks. |
| @@ -510,7 +510,7 @@ envoy_cc_library( | |||
| srcs = ["header_utility.cc"], | |||
| hdrs = ["header_utility.h"], | |||
| external_deps = [ | |||
| "nghttp2", | |||
| "quiche_http2_adapter", | |||
There was a problem hiding this comment.
I'm by no means a bazel expert, but should this continue to reference nghttp2 until the runtime flag is removed?
Signed-off-by: Biren Roy <birenroy@google.com>
Done. |
|
@yanavlasov @KBaichoo I think this PR is ready for merge. |
Envoy uses the `authorityIsValid()` to validate the authority header for both H/1 and H/2 codecs. Previously Envoy used the nghttp2 validator and in #24943 this was changed to oghttp2's implementation. The two implementations differ in the way they handle the "@" character (nghttp2 allows it, and oghttp2 doesn't). According to the H/2 spec, the "@" character is not allowed as part of the authority header. However, for H/1 it is allowed as part of the "user-info@host:port" structure of the authority header. This PR changes the validator to be similar to the nghttp2 implemenation. The change can be temporarily dis In the future, when Envoy fully supports UHV (#10646), the H/1 and H/2 validation parts should be decoupled, and the oghttp2 authority validation can be used for H/2. --------- Signed-off-by: Adi Suissa-Peleg <adip@google.com>
) Envoy uses the `authorityIsValid()` to validate the authority header for both H/1 and H/2 codecs. Previously Envoy used the nghttp2 validator and in envoyproxy#24943 this was changed to oghttp2's implementation. The two implementations differ in the way they handle the "@" character (nghttp2 allows it, and oghttp2 doesn't). According to the H/2 spec, the "@" character is not allowed as part of the authority header. However, for H/1 it is allowed as part of the "user-info@host:port" structure of the authority header. This PR changes the validator to be similar to the nghttp2 implemenation. The change can be temporarily dis In the future, when Envoy fully supports UHV (envoyproxy#10646), the H/1 and H/2 validation parts should be decoupled, and the oghttp2 authority validation can be used for H/2. --------- Signed-off-by: Adi Suissa-Peleg <adip@google.com> Signed-off-by: duxin40 <duxin40@gamil.com>
Signed-off-by: Biren Roy birenroy@google.com
Commit Message: Replaces nghttp2 functions with equivalents from QUICHE.
Additional Description: Cleanup related to #23596
Risk Level: Low
Testing: ran unit and integration tests locally
Docs Changes:
Release Notes:
Platform Specific Features: