Page MenuHomePhabricator
Paste P7029

hostname sanity in generic VCL
ActivePublic
Actions

Authored by BBlack on Apr 23 2018, 1:51 PM.
Tags
Referenced Files
F17265762: hostname sanity in generic VCL
Apr 23 2018, 1:52 PM
F17265758: hostname sanity in generic VCL
Apr 23 2018, 1:51 PM
Subscribers
ema
Vgutierrez
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -82,8 +82,14 @@ sub normalize_request {
// Strip :port from req.http.host and normalize to lowercase
set req.http.Host = std.tolower(regsub(req.http.Host, ":.*$", ""));
- // Strip away characters that don't belong in hostnames
- set req.http.Host = regsuball(req.http.Host, "[^-.a-z0-9]+", "");
+ // Check that host header looks reasonably-legitimate/parseable now
+ if (req.http.Host ~ "^[a-z][-a-z0-9]*(\.[a-z][-a-z0-9]*)*\.?$") {
+ // Strip optional trailing terminal dot if present
+ set req.http.Host = regsub(req.http.Host, "\.$", "");
+ } else {
+ set req.http.Host = "invalid";
+ // XXX error 400 here for unparseable or empty hostnames
+ }
}

Event Timeline

BBlack created this paste.Apr 23 2018, 1:51 PM
BBlack edited the content of this paste. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL