From b35bf4e58ca28895b4783eb950abc02f31e51db4 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Mon, 2 May 2016 18:09:13 +1200 Subject: [PATCH] HTTP/1.1: normalize Host header When absolute-URI is provided Host header should be ignored. However some code still uses Host directly so normalize it using the previously sanitized URL authority value before doing any further request processing. For now preserve the case where Host is completely absent. That matters to the CVE-2009-0801 protection. This also has the desirable side effect of removing multiple or duplicate Host header entries. --- src/servers/Http1Server.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/servers/Http1Server.cc b/src/servers/Http1Server.cc index a1520805c5..b62aee8fb4 100644 --- a/src/servers/Http1Server.cc +++ b/src/servers/Http1Server.cc @@ -173,6 +173,16 @@ Http::One::Server::buildHttpRequest(Http::Stream *context) return false; } + // when absolute-URI is provided Host header should be ignored. However + // some code still uses Host directly so normalize it using the previously + // sanitized URL authority value. + // For now preserve the case where Host is completely absent. That matters. + if (const auto x = request->header.delById(Http::HOST)) { + debugs(33, 5, "normalize " << x << " Host header using " << request->url.authority()); + SBuf tmp(request->url.authority()); + request->header.putStr(Http::HOST, tmp.c_str()); + } + http->request = request.getRaw(); HTTPMSGLOCK(http->request); -- 2.47.3