Skip to content

Commit ed3604c

Browse files
wwwzbwcomlpincamscdex
authored andcommittedNov 28, 2022
http: server check Host header, to meet RFC 7230 5.4 requirement
PR-URL: #45597 Fixes: #39033 Co-authored-by: Luigi Pinca <[email protected]> Co-authored-by: mscdex <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
1 parent 71ff89f commit ed3604c

File tree

46 files changed

+156
-42
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

46 files changed

+156
-42
lines changed
 

‎doc/api/http.md

+4
Original file line numberDiff line numberDiff line change
@@ -3185,6 +3185,10 @@ changes:
31853185
* `uniqueHeaders` {Array} A list of response headers that should be sent only
31863186
once. If the header's value is an array, the items will be joined
31873187
using `; `.
3188+
* `requireHostHeader` {boolean} It forces the server to respond with
3189+
a 400 (Bad Request) status code to any HTTP/1.1 request message
3190+
that lacks a Host header (as mandated by the specification).
3191+
**Default:** `true`.
31883192

31893193
* `requestListener` {Function}
31903194

‎lib/_http_server.js

+19-1
Original file line numberDiff line numberDiff line change
@@ -473,6 +473,14 @@ function storeHTTPOptions(options) {
473473
} else {
474474
this.connectionsCheckingInterval = 30_000; // 30 seconds
475475
}
476+
477+
const requireHostHeader = options.requireHostHeader;
478+
if (requireHostHeader !== undefined) {
479+
validateBoolean(requireHostHeader, 'options.requireHostHeader');
480+
this.requireHostHeader = requireHostHeader;
481+
} else {
482+
this.requireHostHeader = true;
483+
}
476484
}
477485

478486
function setupConnectionsTracking(server) {
@@ -1022,7 +1030,18 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
10221030

10231031
let handled = false;
10241032

1033+
10251034
if (req.httpVersionMajor === 1 && req.httpVersionMinor === 1) {
1035+
1036+
// From RFC 7230 5.4 https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
1037+
// A server MUST respond with a 400 (Bad Request) status code to any
1038+
// HTTP/1.1 request message that lacks a Host header field
1039+
if (server.requireHostHeader && req.headers.host === undefined) {
1040+
res.writeHead(400, ['Connection', 'close']);
1041+
res.end();
1042+
return 0;
1043+
}
1044+
10261045
const isRequestsLimitSet = (
10271046
typeof server.maxRequestsPerSocket === 'number' &&
10281047
server.maxRequestsPerSocket > 0
@@ -1045,7 +1064,6 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
10451064

10461065
if (RegExpPrototypeExec(continueExpression, req.headers.expect) !== null) {
10471066
res._expect_continue = true;
1048-
10491067
if (server.listenerCount('checkContinue') > 0) {
10501068
server.emit('checkContinue', req, res);
10511069
} else {

0 commit comments

Comments
 (0)