MINOR: h1: Reject requests with different occurrences of the header host

There is no reason for a client to send several headers host. It even may be considered as a bug. However, it is totally invalid to have different values for those. So now, in such case, an error is triggered during the request parsing. In addition, when several headers host are found with the same value, only the first instance is kept and others are skipped.
haproxy · Oct 14, 2019 · 497ab4f · 497ab4f
1 parent 486498c
commit 497ab4f
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/src/h1.c b/src/h1.c
@@ -282,6 +282,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
 	union h1_sl sl;
 	int skip_update;
 	int restarting;
+	int host_idx;
 	struct ist n, v;       /* header name and value during parsing */
 
 	skip = 0; // do it only once to keep track of the leading CRLF.
@@ -290,6 +291,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
 	hdr_count = sol = col = eol = sov = 0;
 	sl.st.status = 0;
 	skip_update = restarting = 0;
+	host_idx = -1;
 
 	if (h1m->flags & H1_MF_HDRS_ONLY) {
 		state = H1_MSG_HDR_FIRST;
@@ -831,6 +833,18 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
 						break;
 					}
 				}
+				else if (isteqi(n, ist("host"))) {
+					if (host_idx == -1)
+						host_idx = hdr_count;
+					else {
+						if (!isteqi(v, hdr[host_idx].v)) {
+							state = H1_MSG_HDR_L2_LWS;
+							goto http_msg_invalid;
+						}
+						/* if the same host, skip it */
+						break;
+					}
+				}
 
 				http_set_hdr(&hdr[hdr_count++], n, v);
 			} while (0);