httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ics.uci.edu>
Subject Re: more vhost thoughts
Date Sun, 05 Oct 1997 09:41:25 GMT
>If a client connects to port X and gives "Host: foo:Y" where Y != X,
>should the server reject the request? 

The HTTP level may not be aware of a firewall/router changing the
real port number within an intranet, for whatever reason, and thus the
client may think it is talking to port 80 even though the connection
is on some other port.  This isn't the client's fault, so an error is
not appropriate.  I suggest just ignoring the Host header's port
number and only using the physical port for selecting the server.

>Right now my code does it's first pass using X (this is the pass which
>determines which pool of name-vhosts to use, and it happens before headers
>are read), then does the second pass using Y (this is when it checks the
>hostname, and this is just how we always did it). 

I've always felt that was a security hole.  I thought we plugged it long ago.

....Roy

Mime
View raw message