On Wed, Apr 28, 2010 at 7:51 PM, Andrew Commons <andrew.comm...@bigpond.com> wrote: > Hi Beni, > > A few things to digest here. > > What was leading me up this path was a bit of elementary (and probably naïve) > white-listing with respect to the contents of the Host header and the URI/L > supplied by the user. Tools like Fiddler make request manipulation trivial so > filtering out 'obvious' manipulation attempts would be a good idea. With this > in mind my thinking (if it can be considered as such) was that: > > (1) user request is for http://www.example.com/whatever > (2) Host header is www.example.com > (3) All is good! Pass request on to server. > > Alternatively: > > (1) user request is for http://www.example.com/whatever > (2) Host header is www.whatever.com > (3) All is NOT good! Flick request somewhere harmless. >
Benedikt has explained this already (see his first reply). There is no such thing. What you see as "user request" is really sent as host header, + uri. Also to answer another question you raised - the http specification states that header names are case-insensitive. I dont know about haproxy's treatment, though (i'm too lazy to delve into the code right now - and really you can test it out to find out for urself). -jf -- "Every nonfree program has a lord, a master -- and if you use the program, he is your master." --Richard Stallman "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228