Bug 4501: HTTP/1.1: normalize Host header

When absolute-URI is provided Host header should be ignored. However some
code still uses Host directly so normalize it using the URL authority
value before doing any further request processing.

For now preserve the case where Host is completely absent. That matters
to the CVE-2009-0801 protection.

This also has the desirable side effect of removing multiple or duplicate
Host header entries, and invalid port values.

diff --git a/src/client_side.cc b/src/client_side.cc
index 92528c5ad078c426a4311d208860f7a3b3c60076..d348fdf016629b3fa91864c2de508eb1e93b8cbb 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2661,6 +2661,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
             clientProcessRequestFinished(conn, request);
             return;
         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
     }
 
     // Some blobs below are still HTTP-specific, but we would have to rewrite