>Number: 2437 >Category: protocol >Synopsis: Apache requires Host: header even when given an absolute URI >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Jun 13 14:50:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.6 >Environment: RedHat Linux 5.1, glibc >Description: RFC 2068 (HTTP/1.1), section 5.2 ( page 37 ) gives the rules for identification of resources. With regards to the Host: header it says that:
"If the Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored." Apache requires the Host: header field even though it is required to be ignored. It will return a 400, Bad Request response. Additionally, if the Host: header is invalid, the URI given is apparently parsed incorrectly. Three examples are given. The first is without a Host: header, the second has a Host: header that is different than the URI which gives a bizarre response and the third is a successful response as a contol. Please feel free to contact me if you require further information. Thanks! --------------------- [EMAIL PROTECTED] blizzard]$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET http://foo.appliedtheory.com/index.html HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sat, 13 Jun 1998 21:31:58 GMT Server: Apache/1.2.6 Red Hat Connection: close Transfer-Encoding: chunked Content-Type: text/html a4 <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> </BODY></HTML> --------------------------- [EMAIL PROTECTED] blizzard]$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET http://foo.appliedtheory.com HTTP/1.1 Host: dhksajdhkjsahdsajdh HTTP/1.1 404 File Not Found Date: Sat, 13 Jun 1998 21:33:12 GMT Server: Apache/1.2.6 Red Hat Transfer-Encoding: chunked Content-Type: text/html ae <HTML><HEAD> <TITLE>404 File Not Found</TITLE> </HEAD><BODY> <H1>File Not Found</H1> The requested URL /foo.appliedtheory.com was not found on this server.<P> </BODY></HTML> ------------------------------ [EMAIL PROTECTED] blizzard]$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET http://foo.appliedtheory.com/index.html HTTP/1.1 Host: foo.appliedtheory.com HTTP/1.1 200 OK Date: Sat, 13 Jun 1998 21:33:54 GMT Server: Apache/1.2.6 Red Hat Last-Modified: Thu, 07 May 1998 18:17:09 GMT ETag: "2f1b-792-3551faa5" Content-Length: 1938 Accept-Ranges: bytes Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <TITLE>Test Page for Red Hat Linux's Apache Installation</TITLE> </HEAD> <!-- Background white, links blue (unvisited), navy (visited), red (active) --> <BODY BGCOLOR="#FFFFFF" [....] >How-To-Repeat: Please see the examples above. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
