[PATCH] Add strict Host validation
Ruslan Ermilov
ru at nginx.com
Tue Jan 13 12:39:00 UTC 2015
On Mon, Jan 12, 2015 at 03:45:03PM -0800, Piotr Sikora wrote:
> Hey Maxim,
>
> > I still think it's a "no". If needed, allowed characters can be
> > easily restricted by a configuration.
>
> Just to make a point:
>
> $ curl -I nginx.org
> HTTP/1.1 200 OK
> Server: nginx/1.7.7
> Date: Mon, 12 Jan 2015 23:42:27 GMT
> Content-Type: text/html; charset=utf-8
> Content-Length: 8981
> Last-Modified: Tue, 23 Dec 2014 15:38:45 GMT
> Connection: keep-alive
> Keep-Alive: timeout=15
> ETag: "54998c85-2315"
> Accept-Ranges: bytes
>
> $ curl -I nginx.org -H"Host: /"
> HTTP/1.1 400 Bad Request
> Server: nginx/1.7.7
> Date: Mon, 12 Jan 2015 23:42:38 GMT
> Content-Type: text/html
> Content-Length: 172
> Connection: close
>
> $ curl -I nginx.org -H"Host: \$"
> curl: (52) Empty reply from server
>
> You cannot possibly tell me that's correct and/or expected behavior?
> And that's not even a control character.
That's because this site is configured to reject unknown server
names, like here:
http://nginx.org/en/docs/http/server_names.html#miscellaneous_names
: In catch-all server examples the strange name “_” can be seen:
:
: server {
: listen 80 default_server;
: server_name _;
: return 444;
: }
More information about the nginx-devel
mailing list