For HTTP/1.1 requests, Host is mandatory

The check is added to the builtin logic for now. Fixes #2631.

For HTTP/1.1 requests, Host is mandatory
The check is added to the builtin logic for now. Fixes #2631.
ff86ca7e · Federico G. Schwindt · acaa2d40 · ff86ca7e · ff86ca7e
Commit ff86ca7e authored May 01, 2018 by Federico G. Schwindt
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 2 deletions

builtin.vcl bin/varnishd/builtin.vcl +8 -2

r02633.vtc bin/varnishtest/tests/r02633.vtc +21 -0

No files found.
--- a/bin/varnishd/builtin.vcl
+++ b/bin/varnishd/builtin.vcl
@@ -36,8 +36,14 @@ vcl 4.0;

 sub vcl_recv {
    if (req.method == "PRI") {
-	/* This will never happen in properly formed traffic (see: RFC7540) */
-	return (synth(405));
+        /* This will never happen in properly formed traffic (see: RFC7540) */
+        return (synth(405));
+    }
+    if (!req.http.host &&
+      req.esi_level == 0 &&
+      req.proto ~ "^(?i)HTTP/1.1") {
+        /* In HTTP/1.1, Host is required. */
+        return (synth(400));
    }
    if (req.method != "GET" &&
      req.method != "HEAD" &&

--- a/bin/varnishtest/tests/r02633.vtc
+++ b/bin/varnishtest/tests/r02633.vtc
+varnishtest "For HTTP/1.1 requests, Host is mandatory"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+	txreq -proto HTTP/1.1
+	rxresp
+	expect resp.status == 200
+	txreq -proto HTTP/1.1 -nohost
+	rxresp
+	expect resp.status == 400
+	txreq -proto HTTP/1.0 -nohost
+	rxresp
+	expect resp.status == 200
+} -run