[PATCH] Add strict Host validation
Maxim Dounin
mdounin at mdounin.ru
Fri Dec 19 16:37:05 UTC 2014
Hello!
On Wed, Dec 17, 2014 at 06:48:37PM -0800, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1418870862 28800
> # Wed Dec 17 18:47:42 2014 -0800
> # Node ID ab0442e232ce098438943a77422d8a04cc5b6790
> # Parent 99751fe3bc3b285801b434f7f707d87fa42b093e
> Add strict Host validation.
>
> According to RFC3986, Host is a sequence of printable ASCII characters,
> with the exception of: space, ", #, /, <, >, ?, @, \, ^, `, {, | and }.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 99751fe3bc3b -r ab0442e232ce src/http/ngx_http_request.c
> --- a/src/http/ngx_http_request.c Fri Dec 12 20:25:42 2014 +0300
> +++ b/src/http/ngx_http_request.c Wed Dec 17 18:47:42 2014 -0800
> @@ -1955,12 +1955,25 @@ ngx_http_validate_host(ngx_str_t *host,
> }
> break;
>
> - case '\0':
> + case ' ':
> + case '"':
> + case '#':
> + case '/':
> + case '<':
> + case '>':
> + case '?':
> + case '@':
> + case '\\':
> + case '^':
> + case '`':
> + case '{':
> + case '|':
> + case '}':
> return NGX_DECLINED;
>
> default:
>
> - if (ngx_path_separator(ch)) {
> + if (ch < 0x20 || ch > 0x7e) {
> return NGX_DECLINED;
> }
I don't think we should further restrict allowed hostnames solely
based on what current edition of standard says. We are more or
less liberal here, allowing various experiments - and I don't
think this should be changed without a good reason.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list