httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <>
Subject Re: Can we be less forgiving about what we accept?
Date Mon, 28 Nov 2011 19:11:47 GMT
On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:

> * With 'ProxyRequests off', we accept absolute urls like http://hostname/path for local
requests, but we don't check that the hostname contained in it actually matches the Host header
if there is one. The hostname from the URI is then used for vhost matching and put into r->hostname.
This is mandated by RFC2616 but I guess there are quite a few buggy webapps that always look
into the Host header. A workaround may be to set the Host header to the hostname from the
URI in this case.

I'd sooner see a 400 response. Are there any circumstances where mismatch is required / sent
by a current client?

Some tolerance might be required, for example if the request line specifies a port but the
Host: header does not.

Tim Bannister —

View raw message