From 475f3612b1e0af67f0c06f5c2b32831c7df4382f Mon Sep 17 00:00:00 2001
From: Nate Hughes <nhughes@mozilla.com>
Date: Wed, 8 Jul 2015 13:24:07 -0700
Subject: [PATCH] Bug 1136727 - Validate pseudo-header fields in HTTP/2.
 r=hurley

---
 netwerk/protocol/http/Http2Compression.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/netwerk/protocol/http/Http2Compression.cpp b/netwerk/protocol/http/Http2Compression.cpp
index cf649612eae..e89e56989f2 100644
--- a/netwerk/protocol/http/Http2Compression.cpp
+++ b/netwerk/protocol/http/Http2Compression.cpp
@@ -410,6 +410,11 @@ Http2Decompressor::OutputHeader(const nsACString &name, const nsACString &value)
     }
   }
   if(isColonHeader) {
+    // :status is the only pseudo-header field allowed in received HEADERS frames, PUSH_PROMISE allows the other pseudo-header fields
+    if (!name.EqualsLiteral(":status") && !mIsPush) {
+      LOG(("HTTP Decompressor found illegal response pseudo-header %s", name.BeginReading()));
+      return NS_ERROR_ILLEGAL_VALUE;
+    }
     if (mSeenNonColonHeader) {
       LOG(("HTTP Decompressor found illegal : header %s", name.BeginReading()));
       return NS_ERROR_ILLEGAL_VALUE;