From 44cc8e7d6896c723e5738ce21dd74e27763baf3a Mon Sep 17 00:00:00 2001
From: Arturo Bernal <abernal@apache.org>
Date: Mon, 16 Feb 2026 10:31:18 +0100
Subject: [PATCH] Reject duplicate :authority pseudo-header in HTTP/2 request
 conversion.

RFC 9113 forbids repeated pseudo-header fields; treat such requests as malformed.
---
 .../http2/impl/DefaultH2RequestConverter.java |  3 +++
 .../impl/TestDefaultH2RequestConverter.java   | 20 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2RequestConverter.java b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2RequestConverter.java
index 1a1ef20ee..20f6dde52 100644
--- a/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2RequestConverter.java
+++ b/httpcore5-h2/src/main/java/org/apache/hc/core5/http2/impl/DefaultH2RequestConverter.java
@@ -97,6 +97,9 @@ public HttpRequest convert(final List<Header> headers) throws HttpException {
                         path = value;
                         break;
                     case H2PseudoRequestHeaders.AUTHORITY:
+                        if (authority != null) {
+                            throw new ProtocolException("Multiple '%s' request headers are illegal", name);
+                        }
                         authority = value;
                         break;
                     case H2PseudoRequestHeaders.PROTOCOL:
diff --git a/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2RequestConverter.java b/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2RequestConverter.java
index e7f4b3943..70d25751a 100644
--- a/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2RequestConverter.java
+++ b/httpcore5-h2/src/test/java/org/apache/hc/core5/http2/impl/TestDefaultH2RequestConverter.java
@@ -563,6 +563,26 @@ void testInvalidOptionsNeitherAsteriskNorRoot() {
         Assertions.assertThrows(ProtocolException.class, () -> converter.convert(headers));
     }
 
+    @Test
+    void testConvertFromFieldsMultipleAuthority() {
+        final List<Header> headers = Arrays.asList(
+                new BasicHeader(":method", "GET"),
+                new BasicHeader(":scheme", "https"),
+                new BasicHeader(":authority", "www.example.com"),
+                new BasicHeader(":authority", "www2.example.com"),
+                new BasicHeader(":path", "/"));
+
+        final DefaultH2RequestConverter converter = new DefaultH2RequestConverter();
+
+        final ProtocolException ex = Assertions.assertThrows(
+                ProtocolException.class,
+                () -> converter.convert(headers));
+
+        Assertions.assertTrue(
+                ex.getMessage().contains("Multiple ':authority' request headers are illegal"),
+                ex::getMessage);
+    }
+
 
 }