- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 8 Sep 2021 10:49:15 +0200
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: Greg Wilkins <gregw@webtide.com>, Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Stefan, On Wed, Sep 08, 2021 at 10:04:09AM +0200, Stefan Eissing wrote: > I heard also that there is yet another HTTP version in the works. I think I heard something about this as well :-) > > But my question still holds: are we aware of any valid case for Host > > and :authority to mismatch ? I've enumerated a dozen of combinations > > earlier, none of which would result in this, and yet we're trying hard > > to make sure we can continue to forward attacks unmolested to the next > > hop. This is a real problem :-/ > > Not aware: that such requests are made against Apache httpd > Aware: that we flatten them an no one has complained. Same here. We did enforce the matching between Host and authority in H1 a while ago and nobody reported any issue. We enforced it recently on H2 as well and the only failure we got was a :443 port that was left after the host, until we refined this to apply RFC3986's scheme-based normalization to drop the port. Of course I'd rather define something solid than have to compare strings. > FWIW, from our perspective, no mixed authority/host requests are > expected to work, other than given the response based on authority alone. > > That is of course only a very limited sample. Let's assemble many limited samples until we have enough :-) Thanks, Willy
Received on Wednesday, 8 September 2021 08:49:35 UTC