From: Amos Jeffries Date: Mon, 2 May 2016 06:09:13 +0000 (+1200) Subject: HTTP/1.1: normalize Host header X-Git-Tag: SQUID_4_0_10~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b35bf4e58ca28895b4783eb950abc02f31e51db4;p=thirdparty%2Fsquid.git HTTP/1.1: normalize Host header When absolute-URI is provided Host header should be ignored. However some code still uses Host directly so normalize it using the previously sanitized URL authority value before doing any further request processing. For now preserve the case where Host is completely absent. That matters to the CVE-2009-0801 protection. This also has the desirable side effect of removing multiple or duplicate Host header entries. --- diff --git a/src/servers/Http1Server.cc b/src/servers/Http1Server.cc index a1520805c5..b62aee8fb4 100644 --- a/src/servers/Http1Server.cc +++ b/src/servers/Http1Server.cc @@ -173,6 +173,16 @@ Http::One::Server::buildHttpRequest(Http::Stream *context) return false; } + // when absolute-URI is provided Host header should be ignored. However + // some code still uses Host directly so normalize it using the previously + // sanitized URL authority value. + // For now preserve the case where Host is completely absent. That matters. + if (const auto x = request->header.delById(Http::HOST)) { + debugs(33, 5, "normalize " << x << " Host header using " << request->url.authority()); + SBuf tmp(request->url.authority()); + request->header.putStr(Http::HOST, tmp.c_str()); + } + http->request = request.getRaw(); HTTPMSGLOCK(http->request);