On Fri, 30 Aug 2002, Ignacio J. Ortega wrote: > > - Another cause to worry is the comment in apache2 core.c: > > > > There are two options regarding what the "name" of a server is. The > > "canonical" name as defined by ServerName and Port, or the "client's > > name" as supplied by a possible Host: header or full URI. We never > > trust the port passed in the client's headers, we always use the > > port of the actual socket. > > Reviewed the code ( briefly ) and it seems there is a contradiction > between this comment and the actual behavior the apache2 has.. > > Apache2 allways obey a Host: header if present in the request ( for > relative request uris of course) .. for both Servername and port, maybe > this comment is directed to not use internally the parsed port only the > real socket port, i dont know..
It may very well be a security issue ( and quite a big one ! ). There are sites using all kinds of firewalls and settings in httpd.conf to restrict access to some hosts or ports ( say from internal network ). If Host: info is used for security checkings - it would be trivial to bypass some of this security. In particular - people may have servlets that check getServerName() to find if 'localhost' was used - the spec change will leave them with a huge hole ( any request with forged Host: localhost will pass ). I love this kind of aparently trivial 'clarifications' with deep implications. Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
