httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24396] New: - Multiple host headers are accepted and get concatenated
Date Tue, 04 Nov 2003 15:22:51 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24396>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24396

Multiple host headers are accepted and get concatenated

           Summary: Multiple host headers are accepted and get concatenated
           Product: Apache httpd-1.3
           Version: 1.3.28
          Platform: PC
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apache@snakefarm.org


If a HTTP request contains more than one host header line like in

GET / HTTP/1.1
Host: host1
Host: host2
Connection: close

all host headers get concatenated and are treated as if only one host header
containing "host1, host2" had been given. While this makes sense for other
headers like X-Forwarded-For, you cannot request data from multiple hosts in one
single HTTP request.

RFC 2616 doesn't explicitly state that there must not be more than one host
header per request but I think it implies it by referring to "the host header"
throughout the document.

I suggest that multiple host headers be rejected with a "400 Bad Request" response.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message