From 729c3ac45946ca722a815253b5ea336f648a3d95 Mon Sep 17 00:00:00 2001
From: Ririsoft <riri@ririsoft.com>
Date: Mon, 4 Jan 2021 19:15:23 +0100
Subject: [PATCH] fix panic on none ascii headers

None utf-8 or ascii headers should not
make a server panic, but return 400 BadRequest
instead.
---
 src/server/decode.rs   |  2 ++
 tests/server_decode.rs | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/server/decode.rs b/src/server/decode.rs
index 133b58e..303f8be 100644
--- a/src/server/decode.rs
+++ b/src/server/decode.rs
@@ -80,6 +80,8 @@ where
     req.set_version(Some(http_types::Version::Http1_1));
 
     for header in httparse_req.headers.iter() {
+        // https://tools.ietf.org/html/rfc822#section-3.1
+        http_types::ensure_status!(header.value.is_ascii(), 400, "None ascii header");
         req.append_header(header.name, std::str::from_utf8(header.value)?);
     }
 
diff --git a/tests/server_decode.rs b/tests/server_decode.rs
index 10c6701..a2f6a5c 100644
--- a/tests/server_decode.rs
+++ b/tests/server_decode.rs
@@ -2,10 +2,10 @@ mod test_utils;
 mod server_decode {
     use super::test_utils::TestIO;
     use async_std::io::prelude::*;
-    use http_types::headers::TRANSFER_ENCODING;
     use http_types::Request;
     use http_types::Result;
     use http_types::Url;
+    use http_types::{headers::TRANSFER_ENCODING, StatusCode};
     use pretty_assertions::assert_eq;
 
     async fn decode_lines(lines: Vec<&str>) -> Result<Option<Request>> {
@@ -125,4 +125,35 @@ mod server_decode {
 
         Ok(())
     }
+
+    #[async_std::test]
+    async fn none_utf8_header() {
+        let s = vec![
+            b"GET / HTTP/1.1" as &[u8],
+            b"host: localhost:8080",
+            b"none-utf8-header: \xc3\x28",
+            b"",
+            b"",
+        ]
+        .join(b"\r\n" as &[u8]);
+        let (mut client, server) = TestIO::new();
+        client.write_all(&s).await.unwrap();
+        client.close();
+        let err = async_h1::server::decode(server).await.unwrap_err();
+        assert_eq!(err.status(), StatusCode::BadRequest);
+    }
+
+    #[async_std::test]
+    async fn none_ascii_header() {
+        let err = decode_lines(vec![
+            "GET / HTTP/1.1",
+            "host: localhost:8080",
+            "none-ascii-header: élo",
+            "",
+            "",
+        ])
+        .await
+        .unwrap_err();
+        assert_eq!(err.status(), StatusCode::BadRequest);
+    }
 }