HTTP Host header is missing port info #766

Closed
nnposter opened this Issue Mar 16, 2017 · 0 comments

Projects

None yet

1 participant

According to RFC 2616, Section 14.23:

The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI...

and also

A "host" without any trailing port information implies the default port for the service requested

HTTP requests generated by http.lua never include port information in the Host header, which is causing these requests to fail with some servers.

local function get_host_field(host, port)
  return stdnse.get_hostname(host)
end

I am proposing to rectify the issue by making the function more compliant with the RFC as follows:

local function get_host_field(host, port)
  if not host then return nil end
  local ssl = shortport.ssl(host, port)
  local pn = port.number
  if not ssl and pn == 80 or ssl and pn == 443 then
    return stdnse.get_hostname(host)
  else
    return stdnse.get_hostname(host) .. ":" .. pn
  end
end

Please let me know if you have any questions or concerns. Otherwise I will commit the change in a few weeks.

As a side note, a similar logic where default port numbers are being derived from the scheme exists in several other areas. I will put together a follow-up patch to abstract out the logic.

This was referenced Mar 19, 2017
@nmap-bot nmap-bot closed this in 11a8c31 Apr 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment