Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Validate host #966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Validate host #966

wants to merge 5 commits into from
+339 −131

Conversation

@pluknet
Copy link
Contributor

@pluknet pluknet commented Nov 6, 2025
edited
Loading

This series has some additional changes compared to previously posted on https://mailman.nginx.org/pipermail/nginx-devel/2024-June/KLY6JC27JZLSWBIOF6DT2FDDPIMDWWYK.html, most notably changes to stream, some minor though important fixes, rebase after c8c7beb and its proposed simplification via the ngx_http_validate_host() interface change.

See updated tests on my local branch:
https://github.com/pluknet/nginx-tests/tree/host

@pluknet
Version bump.
8836f0c
@pluknet
Improved parsing of host in absolute URIs.
f067954 
When the request line is in the absolute-URI form, a host identified
by a registered name (reg-name) is now restricted to start with an
alphanumeric character (see RFC 1123, RFC 3986).  Previously, empty
domain labels or host starting with a hyphen were accepted.

Additionally, host with a trailing dot is taken into account.
@pluknet
Improved host header validation.
12e6551 
It is rewritten based on ngx_http_parse_request_line() state machine.
This introduces several hardening changes:
- host name with underscores is rejected
- a port subcomponent is restricted to digits
- for IP literals, a missing closing bracket and trailing dot are detected
@pluknet
Skip host validation in absolute URIs.
57a6c36 
Now that parsing of host in the absolute-URI form and as part of host
header validation was equalized, this makes subsequent validation of
host in absolute URIs unnecessary.

No functional changes intended.
@pluknet
Changed interface of ngx_http_validate_host().
28dc887
@pluknet pluknet added this to the nginx-1.29.4 milestone Nov 6, 2025
@pluknet pluknet requested a review from arut November 6, 2025 10:13
@pluknet pluknet self-assigned this Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arut arut Awaiting requested review from arut

At least 1 approving review is required to merge this pull request.

Assignees

@pluknet pluknet

Labels

enhancement

Projects

None yet

Milestone

nginx-1.29.4

Development

Successfully merging this pull request may close these issues.

1 participant

@pluknet