fix: HeaderName::from_lowercase allowing NUL bytes in some cases

seanmonstar · seanmonstar · commit e1a319730e1d · 2024-03-04T11:32:03.000-05:00
If a byte slice larger than 64 bytes is passed to
`HeaderName::from_lowercase`, it could allow NUL bytes. This fixes the
bug.

Reported-by: squirrel8@email.cz
diff --git a/src/header/name.rs b/src/header/name.rs
@@ -1174,9 +1174,9 @@ impl HeaderName {
             }
             Repr::Custom(MaybeLower { buf, lower: false }) => {
                 for &b in buf.iter() {
-                    // HEADER_CHARS maps all bytes that are not valid single-byte
+                    // HEADER_CHARS_H2 maps all bytes that are not valid single-byte
                     // UTF-8 to 0 so this check returns an error for invalid UTF-8.
-                    if b != HEADER_CHARS[b as usize] {
+                    if HEADER_CHARS_H2[b as usize] == 0 {
                         return Err(InvalidHeaderName::new());
                     }
                 }
@@ -1865,4 +1865,16 @@ mod tests {
     fn test_all_tokens() {
         HeaderName::from_static("!#$%&'*+-.^_`|~0123456789abcdefghijklmnopqrstuvwxyz");
     }
+
+    #[test]
+    fn test_from_lowercase() {
+        HeaderName::from_lowercase(&[0; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[b'A'; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[0x1; 10]).unwrap_err();
+        HeaderName::from_lowercase(&[0xFF; 10]).unwrap_err();
+        //HeaderName::from_lowercase(&[0; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[b'A'; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[0x1; 100]).unwrap_err();
+        HeaderName::from_lowercase(&[0xFF; 100]).unwrap_err();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -1174,9 +1174,9 @@ impl HeaderName {`
`1174`	`1174`	`}`
`1175`	`1175`	`Repr::Custom(MaybeLower { buf, lower: false }) => {`
`1176`	`1176`	`for &b in buf.iter() {`
`1177`		`- // HEADER_CHARS maps all bytes that are not valid single-byte`
	`1177`	`+ // HEADER_CHARS_H2 maps all bytes that are not valid single-byte`
`1178`	`1178`	`// UTF-8 to 0 so this check returns an error for invalid UTF-8.`
`1179`		`- if b != HEADER_CHARS[b as usize] {`
	`1179`	`+ if HEADER_CHARS_H2[b as usize] == 0 {`
`1180`	`1180`	`return Err(InvalidHeaderName::new());`
`1181`	`1181`	`}`
`1182`	`1182`	`}`
`@@ -1865,4 +1865,16 @@ mod tests {`
`1865`	`1865`	`fn test_all_tokens() {`
`1866`	`1866`	HeaderName::from_static("!#$%&'*+-.^_`\|~0123456789abcdefghijklmnopqrstuvwxyz");
`1867`	`1867`	`}`
	`1868`	`+`
	`1869`	`+ #[test]`
	`1870`	`+ fn test_from_lowercase() {`
	`1871`	`+ HeaderName::from_lowercase(&[0; 10]).unwrap_err();`
	`1872`	`+ HeaderName::from_lowercase(&[b'A'; 10]).unwrap_err();`
	`1873`	`+ HeaderName::from_lowercase(&[0x1; 10]).unwrap_err();`
	`1874`	`+ HeaderName::from_lowercase(&[0xFF; 10]).unwrap_err();`
	`1875`	`+ //HeaderName::from_lowercase(&[0; 100]).unwrap_err();`
	`1876`	`+ HeaderName::from_lowercase(&[b'A'; 100]).unwrap_err();`
	`1877`	`+ HeaderName::from_lowercase(&[0x1; 100]).unwrap_err();`
	`1878`	`+ HeaderName::from_lowercase(&[0xFF; 100]).unwrap_err();`
	`1879`	`+ }`
`1868`	`1880`	`}`