Rework CVE-2009-0801 case set

 * Correct results when Host: and URL both contain an unusual port.
 * Catch additional cases where implicit default port is made explicit

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index b297fa97ba2efc12ebb50cfb58e137943a0f4d76..9de7ec0d3b5dde0b7ffd674f71e76bafa8fd7046 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -619,33 +619,35 @@ ClientRequestContext::hostHeaderVerify()
 
     debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
     if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
-        // verify the port (if any) matches the apparent destination
+        // verify the Host: port (if any) matches the apparent destination
         if (portStr && port != http->getConn()->clientConnection->local.GetPort()) {
             debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() <<
                    " matches Host: port " << port << " (" << portStr << ")");
             hostHeaderVerifyFailed("intercepted port", portStr);
-            safe_free(hostB);
-            return;
-        }
-        // XXX: match the scheme default port against the apparent destination
-
-        // verify the destination DNS is one of the Host: headers IPs
-        ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
-        safe_free(hostB);
-        return;
-    }
-    safe_free(hostB);
+        } else {
+            // XXX: match the scheme default port against the apparent destination
 
-    // Verify forward-proxy requested URL domain matches the Host: header
-    host = http->request->header.getStr(HDR_HOST);
-    if (strcmp(host, http->request->GetHost()) != 0) {
+            // verify the destination DNS is one of the Host: headers IPs
+            ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
+        }
+    } else if (strcmp(host, http->request->GetHost()) != 0) {
+        // Verify forward-proxy requested URL domain matches the Host: header
         debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
         hostHeaderVerifyFailed(host, http->request->GetHost());
-        return;
+    } else if (portStr && port != http->request->port) {
+        // Verify forward-proxy requested URL domain matches the Host: header
+        debugs(85, 3, HERE << "FAIL on validate URL port " << http->request->port << " matches Host: port " << portStr);
+        hostHeaderVerifyFailed("URL port", portStr);
+    } else if (!portStr && http->request->port != urlDefaultPort(http->request->protocol)) {
+        // Verify forward-proxy requested URL domain matches the Host: header
+        debugs(85, 3, HERE << "FAIL on validate URL port " << http->request->port << " matches Host: default port " << urlDefaultPort(http->request->protocol));
+        hostHeaderVerifyFailed("URL port", "default port");
+    } else {
+        // Okay no problem.
+        debugs(85, 3, HERE << "validate passed.");
+        http->doCallouts();
     }
-
-    debugs(85, 3, HERE << "validate passed.");
-    http->doCallouts();
+    safe_free(hostB);
 }
 
 /* This is the entry point for external users of the client_side routines */