This repository was archived by the owner on Dec 18, 2018. It is now read-only.
This repository was archived by the owner on Dec 18, 2018. It is now read-only.
Enforce restrictions on request-target formats #1279
Description
We currently accept some malformed requests that are not adherent to the HTTP/1.1 spec.
Example:
- relative paths
GET ../../ HTTP/1.1is not a valid format at all. Should be rejected. - authority-form
GET www.contoso.com HTTP/1.1is invalid, but Kestrel will accept anyways. - asterisk-form
GET * HTTP/1.1is invalid, but Kestrel will accept anyways.
Restrictions on request-target that are not currently enforced:
- authority-form are only valid for CONNECT requests https://tools.ietf.org/html/rfc7230#section-5.3.3
- asterisk-form should only by used with OPTIONS requests https://tools.ietf.org/html/rfc7230#section-5.3.4