[PATCH] Add strict Host validation
Piotr Sikora
piotr at cloudflare.com
Mon Jan 12 23:45:03 UTC 2015
Hey Maxim,
> I still think it's a "no". If needed, allowed characters can be
> easily restricted by a configuration.
Just to make a point:
$ curl -I nginx.org
HTTP/1.1 200 OK
Server: nginx/1.7.7
Date: Mon, 12 Jan 2015 23:42:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8981
Last-Modified: Tue, 23 Dec 2014 15:38:45 GMT
Connection: keep-alive
Keep-Alive: timeout=15
ETag: "54998c85-2315"
Accept-Ranges: bytes
$ curl -I nginx.org -H"Host: /"
HTTP/1.1 400 Bad Request
Server: nginx/1.7.7
Date: Mon, 12 Jan 2015 23:42:38 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
$ curl -I nginx.org -H"Host: \$"
curl: (52) Empty reply from server
You cannot possibly tell me that's correct and/or expected behavior?
And that's not even a control character.
Best regards,
Piotr Sikora
More information about the nginx-devel
mailing list