varnishd: Restrict the -i argument to HTTP token syntax

The reason to blindly trust gethostname(3) is that a system returning a
broken host name should not prevent Varnish from starting when there is
no explicit -i option in the command line.

bin/varnishd/mgt/mgt_main.c

@@ -51,6 +51,7 @@
 #include "hash/hash_slinger.h"
 #include "libvcc.h"
 #include "vcli_serve.h"
+#include "vct.h"
 #include "vend.h"
 #include "vev.h"
 #include "vfil.h"
@@ -585,6 +586,7 @@ main(int argc, char * const *argv)
 	const char *S_arg = NULL;
 	const char *s_arg = "default,100m";
 	const char *W_arg = NULL;
+	const char *c;
 	char *p;
 	struct cli cli[1];
 	const char *err;
@@ -816,6 +818,10 @@ main(int argc, char * const *argv)
 
 	if (i_arg == NULL || *i_arg == '\0')
 		i_arg = mgt_HostName();
+	else for (c = i_arg; *c != '\0'; c++) {
+		if (!vct_istchar(*c))
+			ARGV_ERR("Invalid character '%c' for -i\n", *c);
+	}
 	heritage.identity = i_arg;
 
 	mgt_ProcTitle("Mgt");

doc/sphinx/reference/varnishd.rst

@@ -216,8 +216,14 @@ Operations options
 -i identity
 
   Specify the identity of the Varnish server. This can be accessed
-  using ``server.identity`` from VCL. If not specified the output of
-  gethostname(3) is used.
+  using ``server.identity`` from VCL.
+
+  The server identity is used for the ``received-by`` field of ``Via``
+  headers generated by Varnish. For this reason, it must be a valid
+  token as defined by the HTTP grammar.
+
+  If not specified the output of ``gethostname(3)`` is used, in which
+  case the syntax is assumed to be correct.
 
 -I clifile