[PATCH] Add strict Host validation
piotr at cloudflare.com
Mon Jan 12 23:45:03 UTC 2015
> I still think it's a "no". If needed, allowed characters can be
> easily restricted by a configuration.
Just to make a point:
$ curl -I nginx.org
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 23:42:27 GMT
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 23 Dec 2014 15:38:45 GMT
$ curl -I nginx.org -H"Host: /"
HTTP/1.1 400 Bad Request
Date: Mon, 12 Jan 2015 23:42:38 GMT
$ curl -I nginx.org -H"Host: \$"
curl: (52) Empty reply from server
You cannot possibly tell me that's correct and/or expected behavior?
And that's not even a control character.
More information about the nginx-devel