Skip to content

Comments

HTTP/2: tighten SETTINGS validation#632

Merged
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:settings-validation
Feb 22, 2026
Merged

HTTP/2: tighten SETTINGS validation#632
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:settings-validation

Conversation

@arturobernalg
Copy link
Member

@arturobernalg arturobernalg commented Feb 21, 2026

This change tightens HTTP/2 SETTINGS processing and aligns config handling with RFC 9113.

RFC 9113 6.5.2 (SETTINGS_ENABLE_PUSH):
"Any value other than 0 or 1 MUST be treated as a connection error (Section 5.4.1) of type PROTOCOL_ERROR."
"A client MUST treat receipt of a SETTINGS frame with SETTINGS_ENABLE_PUSH set to 1 as a connection error (Section 5.4.1) of type PROTOCOL_ERROR."

RFC 9113 6.5.2 (SETTINGS_MAX_CONCURRENT_STREAMS):
"A value of 0 for SETTINGS_MAX_CONCURRENT_STREAMS SHOULD NOT be treated as special by endpoints."

RFC 9113 6.5.2 (SETTINGS_INITIAL_WINDOW_SIZE):
"Values above the maximum flow-control window size of 2^{31}-1 MUST be treated as a connection error (Section 5.4.1) of type FLOW_CONTROL_ERROR."

RFC 9113 6.5.2 (SETTINGS_MAX_HEADER_LIST_SIZE):
"The initial value of this setting is unlimited."

@arturobernalg
HTTP/2: tighten SETTINGS validation
075a9ee 
Enforce RFC 9113 constraints for SETTINGS_ENABLE_PUSH and reject invalid values.
Accept zero values for peer settings that may legitimately be 0.
Add unit tests for client and server multiplexers.
@arturobernalg arturobernalg requested a review from ok2c February 21, 2026 13:11
@arturobernalg arturobernalg merged commit 6735aa0 into apache:master Feb 22, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c