Skip to content

Add Support for Multiplexing HTTP/2 #2144

Open
hyperxpro wants to merge 2 commits intomainfrom
http2
Open

Add Support for Multiplexing HTTP/2 #2144
hyperxpro wants to merge 2 commits intomainfrom
http2

Conversation

@hyperxpro
Copy link
Member

@hyperxpro hyperxpro commented Mar 10, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 10, 2026
View reviewed changes
client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java
HttpResponseStatus nettyStatus = HttpResponseStatus.valueOf(statusCode);

// Build HTTP/1.1-style headers, skipping HTTP/2 pseudo-headers (start with ':')
HttpHeaders responseHeaders = new DefaultHttpHeaders(false);

Check warning

Code scanning / CodeQL

Disabled Netty HTTP header validation Medium

Request splitting or response splitting vulnerability due to header value verification being disabled.

Copilot Autofix

AI about 16 hours ago

In general, the fix is to re‑enable Netty’s built‑in header validation so that CRLF and other illegal characters in header names/values are rejected. This is done by using the default DefaultHttpHeaders() constructor (which enables validation) or by passing true instead of false to the existing constructor.

For this specific instance in client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java, the safest and most straightforward change is to replace new DefaultHttpHeaders(false) with new DefaultHttpHeaders(). This keeps the existing behavior (building a mutable HttpHeaders from HTTP/2 headers and passing it into DefaultHttpResponse) while adding Netty’s validation step. No other logic needs to change: iteration over h2Headers, filtering out pseudo‑headers, and subsequent interceptor handling all remain the same. No new imports or helper methods are required, because DefaultHttpHeaders is already imported.

Concretely:

  • In handleHttp2HeadersFrame, on the line where responseHeaders is declared, change the constructor call from new DefaultHttpHeaders(false) to new DefaultHttpHeaders().
  • Leave the rest of the method intact, including how syntheticResponse is constructed and how responseHeaders is passed around.
Suggested changeset 1
client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java b/client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java
--- a/client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java
+++ b/client/src/main/java/org/asynchttpclient/netty/handler/Http2Handler.java
@@ -104,7 +104,7 @@
         HttpResponseStatus nettyStatus = HttpResponseStatus.valueOf(statusCode);
 
         // Build HTTP/1.1-style headers, skipping HTTP/2 pseudo-headers (start with ':')
-        HttpHeaders responseHeaders = new DefaultHttpHeaders(false);
+        HttpHeaders responseHeaders = new DefaultHttpHeaders();
         h2Headers.forEach(entry -> {
             CharSequence name = entry.getKey();
             if (name.length() > 0 && name.charAt(0) != ':') {
EOF
@@ -104,7 +104,7 @@
HttpResponseStatus nettyStatus = HttpResponseStatus.valueOf(statusCode);

// Build HTTP/1.1-style headers, skipping HTTP/2 pseudo-headers (start with ':')
HttpHeaders responseHeaders = new DefaultHttpHeaders(false);
HttpHeaders responseHeaders = new DefaultHttpHeaders();
h2Headers.forEach(entry -> {
CharSequence name = entry.getKey();
if (name.length() > 0 && name.charAt(0) != ':') {
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperxpro