Bug #1330

400 Bad Request when using IP's numeric value ("ip2long()")

Added by Anonymous almost 10 years ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Other webservers allow you to access them via their numeric value:

octet1 << 24 OR octet2 << 16 OR octet3 << 8 OR octet4
(or with a calculator, octet1*256^3 + octet2*256^2 + octet3*256 + octet4)

Here's one of Google's IPs:
(64 * (256^3)) + (233 * (256^2)) + (167 * 256) + 99

So if you use http://1089054563 --- you get to google.

If you try this with a server running lighttpd, you get "400 Bad Request" :)

This is an old trick to get by proxies. I doubt it works any more...but what good is it to get by a proxy if you're trying to reach a lighttpd hosted website!? :D

Great job on lighty, btw, excellent software!

-- Ben <ben_is_a

Associated revisions

Revision b47494d4 (diff)
Added by gstrauss about 1 year ago

[config] opts for http header parsing strictness (fixes #551, fixes #1086, fixes #1184, fixes #2143, #2258, #2281, fixes #946, fixes #1330, fixes #602, #1016)

server.http-parseopt-header-strict = "enable"
server.http-parseopt-host-strict = "enable" (implies host-normalize)
server.http-parseopt-host-normalize = "disable"

defaults retain current behavior, which is strict header parsing
and strict host parsing, with enhancement to normalize IPv4 address
and port number strings.

For lighttpd tests, these need to be enabled (and are by default)
For marginally faster HTTP header parsing for benchmarks, disable these.

To allow
- underscores in hostname
- hypen ('-') at beginning of hostname
- all-numeric TLDs
server.http-parseopt-host-strict = "disable"

"lighttpd doesn't allow underscores in host names"
"hyphen in hostname"
"a numeric tld"
"Numeric tld's"
"Bad Request"
"400 Bad Request when using Numeric TLDs"

To allow a variety of numerical formats to be converted to IP addresses
server.http-parseopt-host-strict = "disable"
server.http-parseopt-host-normalize = "enable"

"URL encoding leads to "400 - Bad Request""
"400 Bad Request when using IP's numeric value ("ip2long()")"

To allow most 8-bit and 7-bit chars in headers
server.http-parseopt-header-strict = "disable" (not recommended)

"Russian letters not alowed?"
"header Content-Disposition with russian '?' (CP1251, ascii code 255) causes error"


#1 Updated by Anonymous almost 10 years ago

Errr, this (#)&$ing wiki screwed up my formatting...I should've previewed first! Here are the relevant pieces:

(or with a calculator, octet1*256^3^ + octet2*256^2^ + octet3*256 + octet4) (64 * (256^3^)) + (233 * (256^2^)) + (167 * 256) + 99 1089054563

-- Ben <ben_is_a

#2 Updated by carpii about 1 year ago

Not a valid bug (maybe it was at the time)

The octet address is decoded to an IP before the connection is even made to lighttpd
The HTTP Host header still specifies the octet hostname, but lighty treats this as an abritrary string anyway..

For my test IP of

$HTTP["host"] == "3232235855" {
url.redirect = ( "^/(.*)" => "" )

$ wget http://3232235855

--2016-05-03 00:06:09-- http://3232235855/
Resolving 3232235855...
Connecting to 3232235855||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: [following]

#3 Updated by gstrauss about 1 year ago

  • Description updated (diff)

There are a number of open issues related to the feature request of lighttpd parsing various formats of numerical strings in the Host header into an IP address that is then used for condition matching. request.c:request_check_hostname() is the place where many of these are rejected. I was thinking that a new config switch (or switches) might disable the strict checks here, and/or parse various numerical formats into IP strings.

#4 Updated by gstrauss about 1 year ago

  • Status changed from New to Patch Pending
  • Assignee deleted (jan)
  • Target version set to 1.4.40

#5 Updated by gstrauss about 1 year ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom