◐ Shell
clean mode source ↗

http2: validate non-link headers in writeEarlyHints by mcollina · Pull Request #62017 · nodejs/node

nodejs-github-bot

@nodejs-github-bot added http

Issues or PRs related to the http subsystem.

http2

Issues or PRs related to the http2 subsystem.

needs-ci

PRs that need a full CI run.

labels

Feb 27, 2026

pimterry

RafaelGSS

@mcollina mcollina changed the title http: validate non-link headers in writeEarlyHints http2: validate non-link headers in writeEarlyHints

May 13, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in nodejs#61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>

pimterry

aduh95 pushed a commit that referenced this pull request

May 19, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in #61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #62017
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

aduh95 pushed a commit that referenced this pull request

May 19, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in #61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #62017
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

aduh95 pushed a commit that referenced this pull request

May 23, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in #61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #62017
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

araujogui pushed a commit to araujogui/node that referenced this pull request

May 26, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in nodejs#61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs#62017
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

aduh95 pushed a commit that referenced this pull request

Jun 18, 2026 
Validate header names and values for non-link hints passed to
writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader()
and checkIsHttpToken(), consistent with the HTTP/1.1 validation added
in #61897.

Previously, hints were forwarded into the headers object without any
validation, allowing invalid characters in header names/values to
surface as opaque errors deeper in the HTTP/2 stack.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #62017
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>