IPv6 Host format is not validated before it is propagated to :authority
#22,859 opened on Aug 26, 2022
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
Hello everyone. I have noticed that in IPv6, when Envoy translates a request to HTTP2 , Envoy does not seem to check and verify the host address format before propagating the value to the :authority pseudo-header. Host addresses like "2001:db8::2:1:443" (it does not adhere to the [ip]:port format) are applied as "they-are" in the :authority header. Keep in mind that RFC3986 states the following about host header:
A host identified by an Internet Protocol literal address, version 6 [RFC3513] or later, is distinguished by enclosing the IP literal within square brackets ("[" and "]").
Therefore I would expect that non-rfc3986-compliant headers would lead to an error and not be propagated to :authority as part of the conversion from http1 to http2. For your reference, RFC7230 mentioned host header handling in case of invalid values.
A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value.
Is the current behavior intentional or is there an actual issue? If needed I can provide some steps to reproduce the behavior by using Istio. I have verified the behavior on Envoy 1.22.2