httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: security holes and other fun stuff
Date Mon, 15 Jul 1996 23:48:22 GMT
On Mon, 15 Jul 1996, sameer wrote:

> OK, I'll go into my reasoning...


Okay... I'll buy what you say. But getting rid of the "!port" is *not* the
way to do it.

> You're connecting to port 80, so the configuration needs to stay at
> r->server, but actually the configuration got changes to
> r->server->next. Looks like a problem to me.
> 	Perhaps changing
>   for (s = r->server->next; s; s = s->next)
> to
>   for(s = r->server; s; s = s->next)
> is the real solution?

Hmm. No. I think the real solution (and http11.patch has this in it, btw,
since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
": 80". Try that, see if it works.

* Historical note: Originally, when http-wg decided to use the Host:
header (as opposed to Orig-URI:), the spec said the format of the header
should be "Host: f.q.d.n", the port number being obtainable via other
means. However, Netscape screwed up and made it "Host: f.q.d.n:portnum" if
there was a port in the original URI. So the spec was changed. However,
there are still a couple browsers out there (old versions of emacs-w3, I
think, mostly) that don't send the port number, so Apache 1.1's code,
if there is no port number in the Host: header, will match any port. (it
also makes it a lot easier to debug a server, because you don't have to
reach your finger over and hit the colon, then a bunch of numbers *grin*)
But the HTTP/1.1 spec does mandate that no port number should be intereted
as the "default port" (80). So we have to change it eventually, and I
think it may solve your problem at the same time.

-- Alexei Kosut <>            The Apache HTTP Server

View raw message