Host and Authority Headers RFC Compliance: Decode Percent-encoded UTF8 Characters
#21,306 opened on 2022年5月16日
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (平均マージ 8d) (30d で 378 merged PRs)
説明
Title: Host and Authority Headers RFC Compliance: Decode Percent-encoded UTF8 Characters
Description:
While working on the unified header validation component (#20261), we found that the Host and Authority headers do not decode percent-encoded UTF8 characters, per the RFC spec.
Although the fix could be targeted for UHV, I wanted to register this issue with the community to get consensus on how percent-encoded characters should be handled within the H1 Host and H2 :authority headers. For now, we are only looking at the Host and :authority headers and not talking about URI or path normalization.
Some initial options after reading the RFCs, which could be implemented as new configuration settings:
- Keep the current behavior and verify that Envoy users can register services that match on percent-encoded host/authority.
- Decode all percent-encoded characters from
Hostand:authority, verify they are valid UTF8 codepoints, and re-encode them in the upstream request (where appropriate).- The URI RFC says that clients producing URIs should only encode non-ASCII characters in this way. Envoy could enforce this by also verifying that the decoded UTF8 codepoint is outside the ASCII range.
- This could also be done on a per-service configuration basis (e.g.-
decode_authority = [true|false]
Relevant Links:
- RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
The
reg-namesyntax allows percent-encoded octets in order to represent non-ASCII registered names in a uniform way that is independent of the underlying name resolution technology. Non-ASCII characters must first be encoded according to UTF-8 (STD 63), and then each octet of the corresponding UTF-8 sequence must be percent-encoded to be represented as URI characters.URI producing applications must not use percent-encoding in host unless it is used to represent a UTF-8 character sequence.
- The
authoritycomponent within the URI is used by both H1Hostheader and H2:authorityheader:A client MUST send a Host header field in all HTTP/1.1 request messages. If the target URI includes an authority component, then a client MUST send a field-value for Host that is identical to that authority component, excluding any
userinfosubcomponent and its@delimiter.The
:authoritypseudo-header field includes the authority portion of the target URI (RFC 3986, Section 3.2). The authority MUST NOT include the deprecateduserinfosubcomponent forhttporhttpsschemed URIs.