Google Git
Sign in
apache/httpcomponents-core/HEAD
commit
999a1e91aef6cbcd619ff9a7c57e1005c3e015a9
[log] [tgz]
author
Arturo Bernal <abernal@apache.org>
Fri Feb 20 05:59:00 2026 +0000
committer
GitHub <noreply@github.com>
Fri Feb 20 06:59:00 2026 +0100
tree
2ca9af047e024960dd80c4b4d904f9d363363cff
parent
b4c8268e0f0ea10126992a8396509d41620fef0b [diff]
HTTP/2: fix frame header parsing and validate SETTINGS ACK length (#628)

Parse the 24-bit Length field as an unsigned value, treat flags as an
unsigned byte, and mask out the reserved bit from the Stream Identifier.

Also enforce RFC 9113 ยง6.5: SETTINGS frames with ACK set MUST have an
empty payload (Length = 0); otherwise raise FRAME_SIZE_ERROR.
6 files changed
tree: 2ca9af047e024960dd80c4b4d904f9d363363cff
  1. .github/
  2. .mvn/
  3. httpcore5/
  4. httpcore5-h2/
  5. httpcore5-jackson2/
  6. httpcore5-reactive/
  7. httpcore5-testing/
  8. src/
  9. test-CA/
  10. .gitattributes
  11. .gitignore
  12. BUILDING.txt
  13. CODE_OF_CONDUCT.md
  14. doap_HttpComponents_Core.rdf
  15. LICENSE.txt
  16. mvnw
  17. mvnw.cmd
  18. NOTICE.txt
  19. pom.xml
  20. README.md
  21. RELEASE_NOTES.txt
  22. SECURITY.md
README.md

Apache HttpComponents Core

Welcome to the HttpCore component of the Apache HttpComponents project.

GitHub Actions Status Maven Central License

Building Instructions

For building from source instructions please refer to BUILDING.txt.

Dependencies

HttpCore requires Java 1.8 compatible runtime.

Protocol conformance

  • RFC 9110 - HTTP Semantics
  • RFC 9112 - Hypertext Transfer Protocol Version 1.1 (HTTP/1.1)
  • RFC 9113 - Hypertext Transfer Protocol Version 2 (HTTP/2)
  • RFC 7541 - HPACK: Header Compression for HTTP/2
  • RFC 1945 - Hypertext Transfer Protocol -- HTTP/1.0
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 9218 - Extensible Prioritization Scheme for HTTP

Licensing

Apache HttpComponents Core is licensed under the Apache License 2.0. See the files LICENSE.txt and NOTICE.txt for more information.

Contact

Cryptographic Software Notice

This distribution may include software that has been designed for use with cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See https://www.wassenaar.org/ for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.

The following provides more details on the included software that may be subject to export controls on cryptographic software:

Apache HttpComponents Core interfaces with the Java Secure Socket Extension (JSSE) API to provide

  • HTTPS support

Apache HttpComponents Core does not include any implementation of JSSE.