Skip to content

bitreq: Add RFC 9112 compliance test vectors#660

Open
tnull wants to merge 3 commits into
rust-bitcoin:masterfrom
tnull:2026-07-spec-compliance
Open

bitreq: Add RFC 9112 compliance test vectors#660
tnull wants to merge 3 commits into
rust-bitcoin:masterfrom
tnull:2026-07-spec-compliance

Conversation

@tnull

@tnull tnull commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

In #659 we recently discovered that we aren't fully compliant with RFC 9112 / HTTP 1.1.

As a first step of mitigation, we here add some test vectors that cover the central points. We opted to mark the (33!) failing checks as ignored, so we can revisit and fix them in following PRs (instead of cramming everything into one PR).

  • Response/cache poisoning: Extra unsolicited bytes can be accepted as the next response (§§6.3, 9.2).
  • Request smuggling/injection: Custom methods and headers allow CR/control-character injection; conflicting Host fields are transmitted (§§2.2–5).
  • Ambiguous message framing: Requests can contain both Content-Length and Transfer-Encoding; conflicting response lengths are accepted (§§6.1–6.3).
  • Incomplete responses accepted: Premature EOF, missing terminal zero chunks, and truncated header sections can be treated as complete (§8).
  • Invalid response syntax accepted: Malformed status lines, bare CR, whitespace-prefixed fields, and obsolete line folding are not handled as required (§§2–5).
  • Incorrect transfer-coding handling: Coding lists such as gzip, chunked, HTTP/1.0 Transfer-Encoding, and trailers are mishandled (§§6–7).
  • Broken connection semantics: HTTP/1.1 persistence incorrectly requires keep-alive; sent Connection: close can be ignored; tokenized options are not parsed correctly (§§9.3, 9.6).
  • CONNECT noncompliance: CONNECT uses the wrong request-target, omits the required proxy Host, and treats successful CONNECT responses as ordinary bodies (§§3.2, 6.3).

And more minor:

  • Consume 1xx informational responses until the final response.
  • Treat clean async EOF as successful for valid close-delimited responses.
  • Retry unanswered pipelined requests without immediately re-pipelining.

tnull added 3 commits July 11, 2026 15:21
Exercise the HTTP/1.1 wire grammar so request generation and
response parsing gaps are visible before behavior is changed.

Co-Authored-By: HAL 9000
Cover response length and chunk decoding rules so incomplete or
ambiguous messages cannot pass unnoticed.

Co-Authored-By: HAL 9000
Cover persistence, closure, and pipelining rules so connection
reuse can be corrected against explicit expectations.

Refs: rust-bitcoin#659

Co-Authored-By: HAL 9000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant