BBlack has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/326443 )
Change subject: normalize host header a little better
......................................................................
normalize host header a little better
Change-Id: I64f54090050b225a3175020dea9ff1dc0689a531
---
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/43/326443/1
diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index d733b89..e6369ee 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -69,6 +69,9 @@
// Strip :port from req.http.host and normalize to lowercase
set req.http.Host = std.tolower(regsub(req.http.Host, ":.*$", ""));
+
+ // Strip away characters that don't belong in hostnames
+ set req.http.Host = regsuball(req.http.Host, "[^-.a-z0-9]+", "");
}
// Must be done at the top of vcl_recv, in our varnish-frontend layer only,
@@ -234,7 +237,7 @@
unset req.http.Proxy; // https://httpoxy.org/
if (req.restarts == 0) {
- // This unwraps proxy-style URLs, strips :port from Host:, and
downcases Host:
+ // This unwraps proxy-style URLs and sanitizes the Host header
(lowercase, no port, no funny chars)
call normalize_request;
// IP processing is req->req mangling that shouldn't be re-done
on restart
--
To view, visit https://gerrit.wikimedia.org/r/326443
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I64f54090050b225a3175020dea9ff1dc0689a531
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
