Re: HTTP/1.1 CONNECT request without Host header

On Jun 16, 2009, at 5:28 PM, Adrien de Croy wrote:
> Roy T. Fielding wrote:
>> On Jun 16, 2009, at 3:26 PM, Adrien de Croy wrote:
>>
>>> I recently updated our proxy to reject all HTTP/1.1 messages from  
>>> clients that lack a Host header.
>>>
>>> This has been found to break a number of clients which use the  
>>> CONNECT method.
>>
>> What clients?
> I only have a couple of reports since this wasn't in general  
> release - a mail.ru client and FTP commander using CONNECT.

Then break them.  They are sending invalid requests, most likely
because they are trying to trigger a security hole.

> However, on further reading of RFC2616, it appears David Morris is  
> correct, that a Host header is only a MUST requirement if the  
> Request-URI is not an AbsoluteURI, and MUST be ignored if it is.   
> This doesn't cover the case where Request-URI is authority (as per  
> CONNECT)... so a strict interpretation is that CONNECT requires  
> host, although I imagine this wasn't the intent, since authority  
> contains the required information.

No, the intention was that Host is required on all HTTP/1.1 requests
for policy reasons (ensuring deployment of Host was a high priority).
Its value might be empty because not all URIs have host portions.

Apache will always respond 400 if HTTP/1.1 and no Host header field.
It will also respond 400 if HTTP >= 1.1 and the hostname target cannot
be obtained via either the request-uri or the Host field.
A "CONNECT host:port HTTP/1.1" request without a Host field will fail
the first test even if it passes the second.

....Roy

Received on Wednesday, 17 June 2009 01:17:40 UTC