Is $http_host dangerous?
x7311
nginx-forum at nginx.us
Sun May 27 21:56:23 UTC 2012
Hi Francis,
Thanks for the response.
After reading the documentation,
http://wiki.nginx.org/HttpCoreModule#.24host
When the HOST is empty, it's responded with 400 as expected.
I think the argument would come down to whether we trust the value sent
by the user.
In both use of $http_host and $host, I think the 3rd curl command is
trying to send a custom header whose HOST value is user-defined? I
believe that if we compromised the DNS or the network for example, there
is a possible way to hijack the nginx servers by modifying the
header....
Since $host is a strict version of $http_host, and when it's empty it
uses $server_name directive, I believe it's a small bit of extra
security layer.... besides gettin rid off the port number in the
response?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,226866,226882#msg-226882
More information about the nginx
mailing list