The checks for the allowed characters in pseudo-headers like ":method" and ":path" should be improved.
":method" must be a token. The definition for "token" is here. Note that e.g. spaces and tabs are not allowed, and the value must not be empty. (Update: the "not empty" check is already implemented.)
The rules for ":path" are more complex, but here also spaces and tabs are not allowed, and the value must not be empty for http/https. (Update: the "not empty" check is already implemented.)
These checks are important to prevent HTTP/2 downgrading attacks. Please read the research paper HTTP/2: The Sequel is Always Worse for more information.
The checks for the allowed characters in pseudo-headers like ":method" and ":path" should be improved.
":method" must be a token. The definition for "token" is here. Note that e.g. spaces and tabs are not allowed, and the value must not be empty. (Update: the "not empty" check is already implemented.)
The rules for ":path" are more complex, but here also spaces and tabs are not allowed, and the value must not be empty for http/https. (Update: the "not empty" check is already implemented.)
These checks are important to prevent HTTP/2 downgrading attacks. Please read the research paper HTTP/2: The Sequel is Always Worse for more information.