Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Hostname route ignore HTTP_HOST and give SERVER_NAME precedence #4581
Web servers that are configured to accept more then one name for a virtual host, pass the following variables:
SERVER_NAME - the virtual host primary name
HTTP_HOST - the requested domain in the URL
As discussed with @DASPRiD, HTTP_HOST need to be checked first to verify what domain was asked by the client.
@weierophinney raised concern about the host header being spoofed. The Q is, even if so, do we have an alternative?
Extra info about the subject:
This comment has been minimized.
This comment has been minimized.Show comment Hide comment
To clear the "problem" about spoofing:
The general problem is, that HTTP_HOST can contain any value the user supplies (it's simply not trust-able). This is not a real problem here though, since we have two things we know:
@weierophinney: Any thoughts about it?