Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-474

HTTP/2: NullPointerException on missing :method pseudo header

    Details

    • Steps to Reproduce:
      Hide

      Send malformed HTTP/2 HEADER frame with :method missing, and look at the Exceptions in Undertow's logfile.

      Show
      Send malformed HTTP/2 HEADER frame with :method missing, and look at the Exceptions in Undertow's logfile.

      Description

      When Undertow receives an HTTP/2 HEADER frame without the :method pseudo header, it produces the following stack trace:

      ERROR: XNIO001007: A channel event listener threw an exception
      java.lang.NullPointerException
      	at io.undertow.util.HttpString.<init>(HttpString.java:106)
      	at io.undertow.util.HttpString.<init>(HttpString.java:101)
      	at io.undertow.util.Methods.fromString(Methods.java:138)
      	at io.undertow.server.protocol.http2.Http2ReceiveListener.handleRequests(Http2ReceiveListener.java:129)
      	at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:108)
      	at io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:55)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:775)
      	at io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:763)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      	at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:993)
      	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
      

      According to the HTTP/2 spec, a HEADER frame without the :method pseudo header is malformed:

      All HTTP/2 requests MUST include exactly one valid value for the :method, :scheme, and :path pseudo-header fields, unless it is a CONNECT request (Section 8.3). An HTTP request that omits mandatory pseudo-header fields is malformed (Section 8.1.2.6).
      

      However, it would be good if malformed requests from clients are handled correctly and don't result in an ERROR log and a NullPointerException.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                swd847 Stuart Douglas
                Reporter:
                fstab Fabian Stäber
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: