httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 57563] New: Replace Host: header field when absolute request-target
Date Wed, 11 Feb 2015 03:09:59 GMT

            Bug ID: 57563
           Summary: Replace Host: header field when absolute
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_proxy

Created attachment 32449
Fix for proxy_util.c, adding check for absolute URI


When mod_proxy processes requests that have an absolute request-target in the
request-line, and ProxyPreserveHost is enabled, it incorrectly sends the
original Host: header on to the origin server. According to RFC 7230, Section

"When a proxy receives a request with an absolute-form of request-target, the
proxy MUST ignore the received Host header field (if any) and instead replace
it with the host information of the request-target.  A proxy that forwards such
a request MUST generate a new Host field-value based on the received
request-target rather than forward the received Host field-value."

It is certainly an abnormal scenario, but repeatable on the latest version of
httpd (2.4.12) (I can provide use-case instructions if needed).

I have now spent a good chunk of time trying to understand the pertinent parts
of the Apache Httpd source code and have come up with the following code
snippet that, I believe, corrects this in the most suitable location, where
mod_proxy gathers the incoming headers and prepares them for the outgoing
request to the origin server or other downstream proxy. It only executes in the
event that ProxyPreserveHost is set and then only if an absolute-form of
request-target was supplied.

Although the RFC text in question specifically talks about proxy servers,
Section 5.3.2 does state the following:

"To allow for transition to the absolute-form for all requests in some future
version of HTTP, a server MUST accept the absolute-form in requests, even
though HTTP/1.1 clients will only send them in requests to proxies."

Also, Section 5.2 of the now deprecated RFC2616 talks about how any origin
server that recieves an absoluteURI in the Request-URI, must ignore the Host:

"1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any
Host header field value in the request MUST be ignored."

It does not specify if it should remove/modify the host header. Also I cannot
find the equivalent wording in RFC7230 pertaining to this. I agree with that the Host: header
should be modified so I will add additional comments there instead of creating
a new bug report.

If this issue is fixed at the core level in the above linked bug, then it would
no longer need to be addressed within mod_proxy.



You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message