Reject client enable-push settings

Author: Mirochill

CHANGELOG.rst

@@ -27,6 +27,7 @@ dev
 **Bugfixes**
 
 - Fix to allow sending 0 bytes on a stream even if the flow control window is negative.
+- Reject non-zero ``SETTINGS_ENABLE_PUSH`` values received from clients.
 
 4.3.0 (2025-08-23)
 ------------------

src/h2/connection.py

@@ -1777,6 +1777,8 @@ def _receive_settings_frame(self, frame: SettingsFrame) -> tuple[list[Frame], li
             return [], events
 
         # Add the new settings.
+        for setting, value in frame.settings.items():
+            self.remote_settings.validate_received_setting(setting, value)
         self.remote_settings.update(frame.settings)
         events.append(
             RemoteSettingsChanged.from_settings(

src/h2/settings.py

@@ -126,6 +126,8 @@ class Settings(MutableMapping[SettingCodes | int, int]):
     """
 
     def __init__(self, client: bool = True, initial_values: dict[SettingCodes, int] | None = None) -> None:
+        self._client = client
+
         # Backing object for the settings. This is a dictionary of
         # (setting: [list of values]), where the first value in the list is the
         # current value of the setting. Strictly this doesn't use lists but
@@ -287,6 +289,30 @@ def __setitem__(self, key: SettingCodes | int, value: int) -> None:
 
         items.append(value)
 
+    def validate_received_setting(self, setting: SettingCodes | int, value: int) -> None:
+        """
+        Validate a setting received from the peer that owns this Settings
+        object.
+
+        Clients may advertise ``ENABLE_PUSH`` only as ``0`` in received
+        SETTINGS frames.
+        """
+        invalid = _validate_setting(setting, value)
+        if (
+            not invalid
+            and self._client
+            and setting == SettingCodes.ENABLE_PUSH
+            and value != 0
+        ):
+            invalid = ErrorCodes.PROTOCOL_ERROR
+
+        if invalid:
+            msg = f"Setting {setting} has invalid value {value}"
+            raise InvalidSettingsValueError(
+                msg,
+                error_code=invalid,
+            )
+
     def __delitem__(self, key: SettingCodes | int) -> None:
         del self._settings[key]
 

tests/test_invalid_frame_sequences.py

@@ -266,6 +266,22 @@ def test_reject_invalid_settings_values(self, frame_factory, settings) -> None:
             h2.errors.ErrorCodes.PROTOCOL_ERROR
         )
 
+    def test_reject_client_enable_push_updates(self, frame_factory) -> None:
+        """
+        Servers reject clients that advertise non-zero SETTINGS_ENABLE_PUSH
+        values in received SETTINGS frames.
+        """
+        c = h2.connection.H2Connection(config=self.server_config)
+        c.initiate_connection()
+        c.receive_data(frame_factory.preamble())
+
+        f = frame_factory.build_settings_frame(settings={0x2: 1})
+
+        with pytest.raises(h2.exceptions.InvalidSettingsValueError) as e:
+            c.receive_data(f.serialize())
+
+        assert e.value.error_code == h2.errors.ErrorCodes.PROTOCOL_ERROR
+
     @pytest.mark.parametrize("request_headers", [example_request_headers, example_request_headers_bytes])
     def test_invalid_frame_headers_are_protocol_errors(self, frame_factory, request_headers) -> None:
         """