[MediaWiki-commits] [Gerrit] operations/puppet[production]: normalize host header a little better

Mon, 12 Dec 2016 07:32:27 -0800 

BBlack has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/326443 )

Change subject: normalize host header a little better
......................................................................


normalize host header a little better

Change-Id: I64f54090050b225a3175020dea9ff1dc0689a531
---
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  BBlack: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index d733b89..e6369ee 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -69,6 +69,9 @@
 
        // Strip :port from req.http.host and normalize to lowercase
        set req.http.Host = std.tolower(regsub(req.http.Host, ":.*$", ""));
+
+       // Strip away characters that don't belong in hostnames
+       set req.http.Host = regsuball(req.http.Host, "[^-.a-z0-9]+", "");
 }
 
 // Must be done at the top of vcl_recv, in our varnish-frontend layer only,
@@ -234,7 +237,7 @@
        unset req.http.Proxy; // https://httpoxy.org/
 
        if (req.restarts == 0) {
-               // This unwraps proxy-style URLs, strips :port from Host:, and 
downcases Host:
+               // This unwraps proxy-style URLs and sanitizes the Host header 
(lowercase, no port, no funny chars)
                call normalize_request;
 
                // IP processing is req->req mangling that shouldn't be re-done 
on restart

-- 
To view, visit https://gerrit.wikimedia.org/r/326443
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I64f54090050b225a3175020dea9ff1dc0689a531
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to