Received: by taz.hyperreal.com (8.6.12/8.6.5) id QAA04155;
 Mon, 15 Jul 1996 16:48:44 -0700
Received: from acidik.organic.com by taz.hyperreal.com (8.6.12/8.6.5) with
 ESMTP id QAA04148; Mon, 15 Jul 1996 16:48:42 -0700
Received: from localhost (akosut@localhost) by acidik.organic.com
 (8.7.5/8.6.12) with SMTP id QAA08875 for <new-httpd@hyperreal.com>;
 Mon, 15 Jul 1996 16:48:24 -0700 (PDT)
X-Authentication-Warning: acidik.organic.com: akosut owned process doing -bs
Date: Mon, 15 Jul 1996 16:48:22 -0700 (PDT)
From: Alexei Kosut <akosut@organic.com>
To: new-httpd@hyperreal.com
Subject: Re: security holes and other fun stuff
In-Reply-To: <199607152338.QAA23806@atropos.c2.org>
Message-ID: <Pine.SOL.3.93.960715164248.8721A-100000@acidik.organic.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Mon, 15 Jul 1996, sameer wrote:

> OK, I'll go into my reasoning...

[...]

Okay... I'll buy what you say. But getting rid of the "!port" is *not* the
way to do it.

> You're connecting to port 80, so the configuration needs to stay at
> r->server, but actually the configuration got changes to
> r->server->next. Looks like a problem to me.
> 
> 	Perhaps changing
> 
>   for (s = r->server->next; s; s = s->next)
> to
>   for(s = r->server; s; s = s->next)
> 
> is the real solution?

Hmm. No. I think the real solution (and http11.patch has this in it, btw,
since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
": 80". Try that, see if it works.

* Historical note: Originally, when http-wg decided to use the Host:
header (as opposed to Orig-URI:), the spec said the format of the header
should be "Host: f.q.d.n", the port number being obtainable via other
means. However, Netscape screwed up and made it "Host: f.q.d.n:portnum" if
there was a port in the original URI. So the spec was changed. However,
there are still a couple browsers out there (old versions of emacs-w3, I
think, mostly) that don't send the port number, so Apache 1.1's code,
if there is no port number in the Host: header, will match any port. (it
also makes it a lot easier to debug a server, because you don't have to
reach your finger over and hit the colon, then a bunch of numbers *grin*)
But the HTTP/1.1 spec does mandate that no port number should be intereted
as the "default port" (80). So we have to change it eventually, and I
think it may solve your problem at the same time.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/