On Wed, 12 Nov 2008, Frank Behrens wrote:
> James Yonan <j...@yonan.net> wrote on 4 Nov 2008 12:16:
> > Shouldn't you check p->options.http_version and make sure it's >= 1.1
> > before sending the Host header?
> Here is a revised patch, that works for me and implements your
> suggestion:
Sorry Frank,
I have to object. It does not implement James's suggestion as you claim,
but random guesswork - inadequate for security software and prone to
breaking at later updates.
> --- proxy.c.orig 2008-10-06 09:22:20.000000000 +0200
> +++ proxy.c 2008-11-06 20:49:55.000000000 +0100
> @@ -348,6 +348,14 @@ establish_http_proxy_passthru (struct ht
> if (!send_line_crlf (sd, buf))
> goto error;
>
> + /* send Host: header for HTTP version above 1.0 */
> + if (strcmp(p->options.http_version, "1.0") != 0) {
This doesn't check for ">= 1.1", but "!= 1.0".
What if I use 0.9, or garbage, or nothing?
Oops, you lose -- in either case.
Even if it's a user option and it's their own fault for misconfiguring.
At the very very least, it'll go along these lines (untested and without
reading how http_version is obtained and if additional checks are
sensible!). Note this may fail with HTTP/2.X or newer, since new major
versions are free to interpret existing headers in a different way, but
since that's neither existent nor implement, let's not care today, but
let's not throw obstacles for later use...
int rc,
unsigned int major, minor;
rc = sscanf(p->options.http_version, "%u.%u", &major, &minor);
if (rc == 2) {
switch (major) {
case 1:
if (minor >= 1) {
/* HTTP/1.1 or newer, use Host: header */
} else {
/* HTTP/1.0 or HTTP/0.9 */
}
break;
default:
/* unsupported, complain and terminate */
}
}
You may want to accept only 1.0 and 1.1 rather than 1.0 and 1.n for n >= 1
- but there should only ever be A SINGLE PLACE to enforce that.
Else you'll have a hell of work once you start implementing HTTP/1.2
later on...
--
Matthias Andree
