You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by John Cottrell <jc...@matrixscience.com> on 2001/09/27 19:06:57 UTC

general/8421: Hostnames with underscore produce "Client sent malformed Host header"

>Number:         8421
>Category:       general
>Synopsis:       Hostnames with underscore produce "Client sent malformed Host header"
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Sep 27 10:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     jcottrell@matrixscience.com
>Release:        1.3.20
>Organization:
apache
>Environment:
N/A
>Description:
I echo the comments in PR number 6551. Many people who access our web site use a client application to retrieve information from a database. The author of the client application mistakenly included the directory in the host line of the request header, i.e. Host: hostname/cgi

This was a stupid error, but easily missed because it showed no symptoms with Apache or IIS. We recently upgraded our web server, and installed Apache 1.3.19. Suddenly, the client application was broken, and it took us some time to figure out what the problem was. Without going into all the reasons, fixing the client application is not an option. 

Hopefully, as suggested in the response to PR 6551, someone will implement a configuration directive to relax hostname checking. Can I add a plea to do this in a reasonably flexible fashion, so as to allow through the kind of error described here without opening up any serious security hole.
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]