W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: HTTP/1.1 CONNECT request without Host header

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 16 Jun 2009 18:17:07 -0700
Message-Id: <21B8BC99-055B-47AF-9515-6CE680B149BA@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Adrien de Croy <adrien@qbik.com>
On Jun 16, 2009, at 5:28 PM, Adrien de Croy wrote:
> Roy T. Fielding wrote:
>> On Jun 16, 2009, at 3:26 PM, Adrien de Croy wrote:
>>> I recently updated our proxy to reject all HTTP/1.1 messages from  
>>> clients that lack a Host header.
>>> This has been found to break a number of clients which use the  
>>> CONNECT method.
>> What clients?
> I only have a couple of reports since this wasn't in general  
> release - a mail.ru client and FTP commander using CONNECT.

Then break them.  They are sending invalid requests, most likely
because they are trying to trigger a security hole.

> However, on further reading of RFC2616, it appears David Morris is  
> correct, that a Host header is only a MUST requirement if the  
> Request-URI is not an AbsoluteURI, and MUST be ignored if it is.   
> This doesn't cover the case where Request-URI is authority (as per  
> CONNECT)... so a strict interpretation is that CONNECT requires  
> host, although I imagine this wasn't the intent, since authority  
> contains the required information.

No, the intention was that Host is required on all HTTP/1.1 requests
for policy reasons (ensuring deployment of Host was a high priority).
Its value might be empty because not all URIs have host portions.

Apache will always respond 400 if HTTP/1.1 and no Host header field.
It will also respond 400 if HTTP >= 1.1 and the hostname target cannot
be obtained via either the request-uri or the Host field.
A "CONNECT host:port HTTP/1.1" request without a Host field will fail
the first test even if it passes the second.

Received on Wednesday, 17 June 2009 01:17:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:49 UTC