For HTTP/1.1 requests, Host is mandatory

fgsch · fgsch · commit ff86ca7e1eb8 · 2018-05-17T08:49:24.000+01:00
The check is added to the builtin logic for now. Fixes #2631.
diff --git a/bin/varnishd/builtin.vcl b/bin/varnishd/builtin.vcl
@@ -36,8 +36,14 @@ vcl 4.0;
 
 sub vcl_recv {
     if (req.method == "PRI") {
-	/* This will never happen in properly formed traffic (see: RFC7540) */
-	return (synth(405));
+        /* This will never happen in properly formed traffic (see: RFC7540) */
+        return (synth(405));
+    }
+    if (!req.http.host &&
+      req.esi_level == 0 &&
+      req.proto ~ "^(?i)HTTP/1.1") {
+        /* In HTTP/1.1, Host is required. */
+        return (synth(400));
     }
     if (req.method != "GET" &&
       req.method != "HEAD" &&
diff --git a/bin/varnishtest/tests/r02633.vtc b/bin/varnishtest/tests/r02633.vtc
@@ -0,0 +1,21 @@
+varnishtest "For HTTP/1.1 requests, Host is mandatory"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+} -start
+
+client c1 {
+	txreq -proto HTTP/1.1
+	rxresp
+	expect resp.status == 200
+	txreq -proto HTTP/1.1 -nohost
+	rxresp
+	expect resp.status == 400
+	txreq -proto HTTP/1.0 -nohost
+	rxresp
+	expect resp.status == 200
+} -run
