From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001 From: Catalin Enache Date: Mon, 23 May 2016 12:47:39 +0300 Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header Upstream-Status: Backport CVE: CVE-2016-4553 When absolute-URI is provided Host header should be ignored. However some code still uses Host directly so normalize it using the URL authority value before doing any further request processing. For now preserve the case where Host is completely absent. That matters to the CVE-2009-0801 protection. This also has the desirable side effect of removing multiple or duplicate Host header entries, and invalid port values. Signed-off-by: Catalin Enache --- src/client_side.cc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/client_side.cc b/src/client_side.cc index 8c41c21..36a27de 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c clientProcessRequestFinished(conn, request); return; } + + // when absolute-URI is provided Host header should be ignored. However + // some code still uses Host directly so normalize it. + // For now preserve the case where Host is completely absent. That matters. + if (request->header.has(HDR_HOST)) { + const char *host = request->header.getStr(HDR_HOST); + SBuf authority(request->GetHost()); + if (request->port != urlDefaultPort(request->url.getScheme())) + authority.appendf(":%d", request->port); + debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host); + // URL authority overrides Host header + request->header.delById(HDR_HOST); + request->header.putStr(HDR_HOST, authority.c_str()); + } } // Some blobs below are still HTTP-specific, but we would have to rewrite -- 2.7.4