View | Details | Raw Unified | Return to bug 56718
Collapse All | Expand All

(-)server/protocol.c (+15 lines)
Lines 1063-1068 Link Here
1063
1063
1064
    apr_brigade_destroy(tmp_bb);
1064
    apr_brigade_destroy(tmp_bb);
1065
1065
1066
    /*
1067
    * rfc2616: If Request-URI is an absoluteURI, the host is part of the
1068
    * Request-URI. Any Host header field value in the request MUST be
1069
    * ignored.
1070
    * We are currently ignoring it, but the Host headers are still present
1071
    * and may get use by naive programs as the one used for vhost choice
1072
    * or like a valid hostname. So enforce the 'ignore' behavior by
1073
    * overwritting any present Host header.
1074
    * Note that this is made just before the fixHostname(r) call, so this
1075
    * Host header entry is still not as safe as the hostname.
1076
    */
1077
    if (r->hostname && apr_table_get(r->headers_in, "Host")) {
1078
        apr_table_set(r->headers_in, "Host", r->hostname);
1079
    }
1080
1066
    /* update what we think the virtual host is based on the headers we've
1081
    /* update what we think the virtual host is based on the headers we've
1067
     * now read. may update status.
1082
     * now read. may update status.
1068
     */
1083
     */

Return to bug 56718