"is http2" detection doesn't seem quite correct

[mitchellwrosen]

wai/warp/Network/Wai/Handler/Warp/Run.hs

Line 390 in 2a7399f

if S.length bs0 >= 4 && "PRI " `S.isPrefixOf` bs0

Here we seem to determine whether this is an HTTP/2 request by reading some bytes off the wire, and if they are PRI , it is.

But there's no guarantee we read 4 bytes, of course. We could read PR, determine this isn't an HTTP/2 request, go down the HTTP/1 code path and proceed to read the remaining I !

[kazu-yamamoto]

Right.
But a question is whether or not we should rescue this corner case.

[mitchellwrosen]

Why is that a question?

[kazu-yamamoto]

Clients to send a few bytes at the beginning seem malicious.
Should we treat them kindly?

[davean]

This sounds like an argument for ossification <https://en.wikipedia.org/wiki/Protocol_ossification> over correctness. Why shouldn't it be able to handle a semantically correct connection if the server chooses to?

…

On Tue, May 7, 2024 at 7:29 PM Kazu Yamamoto ***@***.***> wrote: Clients to send a few bytes at the beginning seem malicious. Should we treat them kindly? — Reply to this email directly, view it on GitHub <#989 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABZLS7V2ZZFVPWO2RLE6VLZBFPUTAVCNFSM6AAAAABHI5Z2ZSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJZGQ3TAOJTGI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[mitchellwrosen]

@kazu-yamamoto For sure; it's clearly a corner case. Nonetheless, it's exactly the kind of thing I would expect to be handled correctly in a web server!

Regarding this,

Clients to send a few bytes at the beginning seem malicious.

My understanding is that even if an honest client sends a legitimately-sized "packet" of bytes, the server can nonetheless read an arbitrary number of them at each call to read().