Project

General

Profile

Bug #1319

simple-vhost.default-host and invalid hostnames

Added by Safari about 12 years ago. Updated about 3 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
mod_simple_vhost
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Shouldn't simple-vhost.default-host be used only when
request is HTTP1.0 and Request-URI is not an absoluteURI, i.e. does not contain http://host.name ?

If vhost directory does not exist, lighttpd should return error 400.
Now it attempts to fetch a file from the default_host directory instead.

Also, another bug:
If I do:
GET http://foo.bar/qux HTTP/1.1
Host: bar.qux

Host: header should be ignored (1. below), but instead,
lighttpd says:
request.c.445: (trace) Host header is duplicate (Status: 400)

http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.2
An origin server that does differentiate resources based on the host requested (sometimes referred to as virtual hosts or vanity host names) MUST use the following rules for determining the requested resource on an HTTP/1.1 request:

1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored.

2. If the Request-URI is not an absoluteURI, and the request includes a Host header field, the host is determined by the Host header field value.

3. If the host as determined by rule 1 or 2 is not a valid host on the server, the response MUST be a 400 (Bad Request) error message.

lighttpd-svn-400-error-for-bad-host.patch (3.78 KB) lighttpd-svn-400-error-for-bad-host.patch crude patch to give 400 error on bad Host Safari, 2008-03-02 20:32

History

#1

Updated by gstrauss about 3 years ago

  • Description updated (diff)
  • Status changed from New to Invalid
  • Assignee deleted (jan)

Similar to how the main server will serve requests for any Host that reaches the server (unless a more specific vhost handles the request), mod_simple_vhost provides for a default document root if one is not configured. (You might reasonably suggest that lighttpd should not apply a default vhost unless explicitly configured.)

As to your other "bug", an updated RFC dictates lighttpd behavior is correct to send 400 upon Host mismatch:
https://tools.ietf.org/html/rfc7230#section-5.4

   A client MUST send a Host header field in all HTTP/1.1 request
   messages.  If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component, excluding any userinfo subcomponent and its "@" 
   delimiter (Section 2.7.1).

Also available in: Atom