HTTP/1.1: normalize Host header

When absolute-URI is provided Host header should be ignored. However some
code still uses Host directly so normalize it using the previously
sanitized URL authority value before doing any further request processing.

For now preserve the case where Host is completely absent. That matters
to the CVE-2009-0801 protection.

This also has the desirable side effect of removing multiple or duplicate
Host header entries.

diff --git a/src/servers/Http1Server.cc b/src/servers/Http1Server.cc
index a1520805c5c4d2e6f04c360447378576343495f1..b62aee8fb448d2cf4e7928b7a2a2f4ff00ea3cf9 100644 (file)
--- a/src/servers/Http1Server.cc
+++ b/src/servers/Http1Server.cc
@@ -173,6 +173,16 @@ Http::One::Server::buildHttpRequest(Http::Stream *context)
         return false;
     }
 
+    // when absolute-URI is provided Host header should be ignored. However
+    // some code still uses Host directly so normalize it using the previously
+    // sanitized URL authority value.
+    // For now preserve the case where Host is completely absent. That matters.
+    if (const auto x = request->header.delById(Http::HOST)) {
+        debugs(33, 5, "normalize " << x << " Host header using " << request->url.authority());
+        SBuf tmp(request->url.authority());
+        request->header.putStr(Http::HOST, tmp.c_str());
+    }
+
     http->request = request.getRaw();
     HTTPMSGLOCK(http->request);