Re: security holes and other fun stuff

["Roy T. Fielding" <fi...@liege.ICS.UCI.EDU>]

> * Historical note: Originally, when http-wg decided to use the Host:
> header (as opposed to Orig-URI:), the spec said the format of the header
> should be "Host: f.q.d.n", the port number being obtainable via other
> means. However, Netscape screwed up and made it "Host: f.q.d.n:portnum" if
> there was a port in the original URI. So the spec was changed. However,

Well, in slight defense of Netscape, they decided to do that after
misinterpreting one of my messages where I said the spec would say
"send whatever is between the // and first / of the original URL
(after relative-to-base parsing).  What I was talking about was just
the hostname, but they interpreted it othewise (and for a good reason).
The only problem was that they never told me how they would implement it
(and why), which would have prevented the whole confusement.

> there are still a couple browsers out there (old versions of emacs-w3, I
> think, mostly) that don't send the port number, so Apache 1.1's code,
> if there is no port number in the Host: header, will match any port. (it
> also makes it a lot easier to debug a server, because you don't have to
> reach your finger over and hit the colon, then a bunch of numbers *grin*)
> But the HTTP/1.1 spec does mandate that no port number should be intereted
> as the "default port" (80). So we have to change it eventually, and I
> think it may solve your problem at the same time.

That is "default port" for that particular URL -- you can't assume it is
HTTP's default port of 80 unless you check the full-URL's scheme (if you
have it) or the protocol being used.

.....Roy