httpd: use the host name in SERVER_NAME

Mon, 19 Jun 2023 09:28:18 -0700 

currently httpd uses the name specified in the config `server' block
which is not guaranteed to be a valid hostname.

quoting rfc3875:

   The SERVER_NAME variable MUST be set to the name of the server host
   to which the client request is directed.  It is a case-insensitive
   hostname or network address.  It forms the host part of the
   Script-URI.

   [...]

   A deployed server can have more than one possible value for this
   variable, where several HTTP virtual hosts share the same IP
   address.  In that case, the server would use the contents of the
   request's Host header field to select the correct virtual host.

This is important since `block return' with $SERVER_NAME may be
expanded to something invalid, or a fastcgi application that looks at
SERVER_NAME (e.g. gotwebd or php) may receive stuff like
"*.example.com" instead of a proper host name depending on the
configuration.

This introduces some redundancy with HTTP_HOST (which we have since
all the HTTP headers become a fastcgi param in the form of HTTP_*).

I'm relying on the fact that httpd disallows requests without a Host
header, so that in the fastcgi path desc->http_host is not NULL.

thoughts/ok?


diff /usr/src
commit - 0cb70ced01a203d011a17a85e0c08bbb95ac164d
path + /usr/src
blob - 073ab344079c6ee4ae422c6e7ad01c70a7002055
file + usr.sbin/httpd/server_fcgi.c
--- usr.sbin/httpd/server_fcgi.c
+++ usr.sbin/httpd/server_fcgi.c
@@ -333,7 +333,7 @@ server_fcgi(struct httpd *env, struct client *clt)
                goto fail;
        }
 
-       if (fcgi_add_param(&param, "SERVER_NAME", srv_conf->name,
+       if (fcgi_add_param(&param, "SERVER_NAME", desc->http_host,
            clt) == -1) {
                errstr = "failed to encode param";
                goto fail;
blob - 08deda7d5f097683571264da0ff434553801f8f7
file + usr.sbin/httpd/server_http.c
--- usr.sbin/httpd/server_http.c
+++ usr.sbin/httpd/server_http.c
@@ -1245,9 +1245,10 @@ server_expand_http(struct client *clt, const char *val
                                return (NULL);
                }
                if (strstr(val, "$SERVER_NAME") != NULL) {
-                       if ((str = url_encode(srv_conf->name))
-                            == NULL)
+                       if (desc->http_host == NULL)
                                return (NULL);
+                       if ((str = url_encode(desc->http_host)) == NULL)
+                               return (NULL);
                        ret = expand_string(buf, len, "$SERVER_NAME", str);
                        free(str);
                        if (ret != 0)

Reply via email to