On Wed, Apr 28, 2010 at 7:51 PM, Andrew Commons
<andrew.commons#bigpond.com> wrote:
> Hi Beni,
>
> A few things to digest here.
>
> What was leading me up this path was a bit of elementary (and probably naïve) white-listing with respect to the contents of the Host header and the URI/L supplied by the user. Tools like Fiddler make request manipulation trivial so filtering out 'obvious' manipulation attempts would be a good idea. With this in mind my thinking (if it can be considered as such) was that:
>
> (1) user request is for http://www.example.com/whatever
> (2) Host header is www.example.com
> (3) All is good! Pass request on to server.
>
> Alternatively:
>
> (1) user request is for http://www.example.com/whatever
> (2) Host header is www.whatever.com
> (3) All is NOT good! Flick request somewhere harmless.
>
Benedikt has explained this already (see his first reply). There is no such thing. What you see as "user request" is really sent as host header, + uri.
Also to answer another question you raised - the http specification states that header names are case-insensitive. I dont know about haproxy's treatment, though (i'm too lazy to delve into the code right now - and really you can test it out to find out for urself).
-jf
--
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."
--Richard Stallman
"It's so hard to write a graphics driver that open-sourcing it would not help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228
Received on 2010/04/28 17:48
This archive was generated by hypermail 2.2.0 : 2010/04/28 18:00 CEST