[PATCH] Add strict Host validation

Piotr Sikora piotr at cloudflare.com
Mon Jan 12 23:45:03 UTC 2015

Hey Maxim,

> I still think it's a "no".  If needed, allowed characters can be
> easily restricted by a configuration.

Just to make a point:

$ curl -I nginx.org
HTTP/1.1 200 OK
Server: nginx/1.7.7
Date: Mon, 12 Jan 2015 23:42:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8981
Last-Modified: Tue, 23 Dec 2014 15:38:45 GMT
Connection: keep-alive
Keep-Alive: timeout=15
ETag: "54998c85-2315"
Accept-Ranges: bytes

$ curl -I nginx.org -H"Host: /"
HTTP/1.1 400 Bad Request
Server: nginx/1.7.7
Date: Mon, 12 Jan 2015 23:42:38 GMT
Content-Type: text/html
Content-Length: 172
Connection: close

$ curl -I nginx.org -H"Host: \$"
curl: (52) Empty reply from server

You cannot possibly tell me that's correct and/or expected behavior?
And that's not even a control character.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list