HTTP/2: enforce strict 3-digit :status pseudo-header (#639)

arturobernalg · web-flow · commit 09a80d5ebe53 · 2026-02-26T20:56:54.000+01:00
Replace Integer.parseInt-based parsing with a strict 3-char digit check
(first digit 1..5) to reject values like "+200" and "0200".
diff --git a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2ResponseConverter.java b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2ResponseConverter.java
@@ -97,12 +97,7 @@ public HttpResponse convert(final List<Header> headers) throws HttpException {
         if (statusText == null) {
             throw new ProtocolException("Mandatory response header '%s' not found", H2PseudoResponseHeaders.STATUS);
         }
-        final int statusCode;
-        try {
-            statusCode = Integer.parseInt(statusText);
-        } catch (final NumberFormatException ex) {
-            throw new ProtocolException("Invalid response status: " + statusText);
-        }
+        final int statusCode = parseStatusCode(statusText);
         final HttpResponse response = new BasicHttpResponse(statusCode, null);
         response.setVersion(HttpVersion.HTTP_2);
         for (int i = 0; i < messageHeaders.size(); i++) {
@@ -149,4 +144,20 @@ public List<Header> convert(final HttpResponse message) throws HttpException {
         return headers;
     }
 
+    private static int parseStatusCode(final String statusText) throws ProtocolException {
+        if (statusText.length() != 3) {
+            throw new ProtocolException("Invalid response status: " + statusText);
+        }
+
+        final char c0 = statusText.charAt(0);
+        final char c1 = statusText.charAt(1);
+        final char c2 = statusText.charAt(2);
+
+        if (c0 < '1' || c0 > '5' || c1 < '0' || c1 > '9' || c2 < '0' || c2 > '9') {
+            throw new ProtocolException("Invalid response status: " + statusText);
+        }
+
+        return (c0 - '0') * 100 + (c1 - '0') * 10 + (c2 - '0');
+    }
+
 }
diff --git a/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2ResponseConverter.java b/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2ResponseConverter.java
@@ -28,6 +28,7 @@
 package org.apache.hc.core5.http2.impl;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.hc.core5.http.Header;
@@ -180,5 +181,25 @@ void testConvertFromFieldsMultipleCookies() throws Exception {
         Assertions.assertEquals("a=b; c=d; e=f", allHeaders[1].getValue());
     }
 
+    @Test
+    void testConvertFromFieldsStatusCodeMustBeStrictThreeDigit() {
+        final DefaultH2ResponseConverter converter = new DefaultH2ResponseConverter();
+
+        // Demonstrate why Integer.parseInt(...) is insufficient (it accepts non-3-digit formats).
+        final int parsedPlus = Assertions.assertDoesNotThrow(() -> Integer.parseInt("+200"));
+        Assertions.assertEquals(200, parsedPlus);
+
+        final int parsedLeadingZero = Assertions.assertDoesNotThrow(() -> Integer.parseInt("0200"));
+        Assertions.assertEquals(200, parsedLeadingZero);
+
+        // Converter must be strict: :status is exactly 3 digits, in range 100..599.
+        Assertions.assertThrows(HttpException.class,
+                () -> converter.convert(Collections.singletonList(new BasicHeader(":status", "+200"))));
+        Assertions.assertThrows(HttpException.class, () -> converter.convert(Collections.singletonList(new BasicHeader(":status", "0200"))));
+
+        Assertions.assertThrows(HttpException.class, () -> converter.convert(Collections.singletonList(new BasicHeader(":status", "099"))));
+        Assertions.assertThrows(HttpException.class, () -> converter.convert(Collections.singletonList(new BasicHeader(":status", "600"))));
+    }
+
 }
 
