httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: fix_hostname() in 1.3.30-dev broken
Date Fri, 19 Mar 2004 05:49:22 GMT
> Ugg... fix_hostname() in 1.3.30-dev (and previous) are
> broken such that it does *not* update parsed_uri with
> the port and port_str value from the Host header.
> This means that with a request like:
>
>     % telnet localhost 8888
>     GET / HTTP/1.1
>     Host: foo:9999
>
> that the '9999' port value from the Host header is
> ignored!

When is fix_hostname() used?  If it is used anywhere other than
ProxyPass redirects, then it must ignore that port value.  To do
otherwise would introduce a security hole in servers that rely on
port blocking at firewalls.  I agree that ProxyPass needs to
know that port number, but that should be handled within the
proxy itself.

....Roy


Mime
View raw message