From c346375a8b862edc0e833acdb2ba7dc8917c15fd Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 21 Mar 2025 19:48:30 -0400
Subject: [PATCH] HTTP/3: Do not allow invalid pseudo-header fields

RFC9114 requires invalid pseudo-header fields to be rejected, and this
is consistent with HTTP/2.
---
 src/http/v3/ngx_http_v3_request.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
index e2ffc7543..66b8356a8 100644
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -635,6 +635,10 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
         return NGX_ERROR;
     }
 
+    if (name->len && name->data[0] == ':') {
+        return ngx_http_v3_process_pseudo_header(r, name, value);
+    }
+
     if (r->invalid_header) {
         cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
 
@@ -646,10 +650,6 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
         }
     }
 
-    if (name->len && name->data[0] == ':') {
-        return ngx_http_v3_process_pseudo_header(r, name, value);
-    }
-
     if (ngx_http_v3_init_pseudo_headers(r) != NGX_OK) {
         return NGX_ERROR;
     }