httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 03:16:19 GMT
On Mon, 15 Jul 1996, sameer wrote:

> > Hmm. No. I think the real solution (and http11.patch has this in it, btw,
> > since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
> > ": 80". Try that, see if it works.
> 	OK. I'll have to futz with stuff to make it say "443" if the
> user is connecting with SSL.

Yep, because 443 is the default port for SSL. Just like over in
check_fulluri(), you'll have to look for https:// instead of http:// -
which brings up a very interesting question: can you do SSL on ports
other than 443? If so, how does a server that supports both HTTP and
SSLized HTTP know which one to use if the port isn't 80/443? Would it
have to be configured such? (I guess so, because they didn't
just use 80 in the first place)

> 	Your note below is interesting, because *NETSCAPE* doesn't
> send :port when connecting to servers (at least not for ports 443 and
> 80). I like the no default port behavior, I only wish netscape would
> be compliant.

It sends them when you type them into the URL field (or a link
does). For example, telling Netscape "http://foo/" will send "Host:
foo". "http://foo:3456" will send "Host: foo:3456". "http://foo:80"
will send "Host: foo:80". I don't do any SSL, but I imagine for
"https://foo/" it would send "Host: foo" and "https://foo:4567" it
would send "Host: foo:4567". But I don't know. SSL is an interesting
creature, because it pretends to be HTTP, but isn't; HTTP's default
port number is 80, SSL's is 443. I imagine that can cause
problems like this.

> > * Historical note: Originally, when http-wg decided to use the Host:
> > header (as opposed to Orig-URI:), the spec said the format of the header
> > should be "Host: f.q.d.n", the port number being obtainable via other
> > means. However, Netscape screwed up and made it "Host: f.q.d.n:portnum" if
> > there was a port in the original URI. So the spec was changed. However,
> > there are still a couple browsers out there (old versions of emacs-w3, I
> > think, mostly) that don't send the port number, so Apache 1.1's code,
> > if there is no port number in the Host: header, will match any port. (it
> > also makes it a lot easier to debug a server, because you don't have to
> > reach your finger over and hit the colon, then a bunch of numbers *grin*)
> > But the HTTP/1.1 spec does mandate that no port number should be intereted
> > as the "default port" (80). So we have to change it eventually, and I
> > think it may solve your problem at the same time.

Alexei Kosut <>      The Apache HTTP Server

View raw message