Details
-
Bug
-
Resolution: Done
-
Major
-
1.2.7.Final
-
None
Description
When Undertow receives an HTTP/2 HEADER frame without the :method pseudo header, it produces the following stack trace:
ERROR: XNIO001007: A channel event listener threw an exception java.lang.NullPointerException at io.undertow.util.HttpString.<init>(HttpString.java:106) at io.undertow.util.HttpString.<init>(HttpString.java:101) at io.undertow.util.Methods.fromString(Methods.java:138) at io.undertow.server.protocol.http2.Http2ReceiveListener.handleRequests(Http2ReceiveListener.java:129) at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:108) at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:775) at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:763) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:993) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
According to the HTTP/2 spec, a HEADER frame without the :method pseudo header is malformed:
All HTTP/2 requests MUST include exactly one valid value for the :method, :scheme, and :path pseudo-header fields, unless it is a CONNECT request (Section 8.3). An HTTP request that omits mandatory pseudo-header fields is malformed (Section 8.1.2.6).
However, it would be good if malformed requests from clients are handled correctly and don't result in an ERROR log and a NullPointerException.
