Forbid or replace empty targets in HTTP/1.1 requests (#469)

ruslandoga · web-flow · commit 02abd6ec2f8f · 2025-08-11T09:16:22.000+02:00
diff --git a/lib/mint/http1.ex b/lib/mint/http1.ex
@@ -978,6 +978,7 @@ defmodule Mint.HTTP1 do
   # Percent-encoding is not case sensitive so we have to account for lowercase and uppercase.
   @hex_characters ~c"0123456789abcdefABCDEF"
 
+  defp validate_target(<<>> = empty_target), do: {:error, {:invalid_request_target, empty_target}}
   defp validate_target(target), do: validate_target(target, target)
 
   defp validate_target(<<?%, char1, char2, rest::binary>>, original_target)
diff --git a/test/mint/http1/conn_test.exs b/test/mint/http1/conn_test.exs
@@ -761,7 +761,7 @@ defmodule Mint.HTTP1Test do
                """)
     end
 
-    @invalid_request_targets ["/ /", "/%foo", "/foo%x"]
+    @invalid_request_targets ["", "/ /", "/%foo", "/foo%x"]
     test "targets are validated by default", %{port: port, server_ref: server_ref} do
       assert {:ok, conn} = HTTP1.connect(:http, "localhost", port)
 
