You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2017/10/08 16:42:18 UTC

[couchdb] 01/01: Backport validate host feature

This is an automated email from the ASF dual-hosted git repository.

jan pushed a commit to branch merge-kxepal-2752-validate-host
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 279f5b181e1136b57a291b68ec1c50b09ee85445
Author: Alexander Shorin <kx...@apache.org>
AuthorDate: Thu Aug 13 03:45:35 2015 +0300

    Backport validate host feature
    
    This includes:
    https://git-wip-us.apache.org/repos/asf?p=couchdb-couch.git;h=fcd24e73d6
    https://git-wip-us.apache.org/repos/asf?p=couchdb-couch.git;h=a5232be86d
    
    COUCHDB-2752
---
 src/couchdb/couch_httpd.erl | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index 42ee783..9a6bf3a 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -32,6 +32,7 @@
 -export([accepted_encodings/1,handle_request_int/5,validate_referer/1,validate_ctype/2]).
 -export([http_1_0_keep_alive/2]).
 -export([validate_bind_address/1]).
+-export([validate_host/1]).
 
 start_link() ->
     start_link(http).
@@ -320,6 +321,7 @@ handle_request_int(MochiReq, DefaultFun,
 
     {ok, Resp} =
     try
+        validate_host(HttpReq),
         check_request_uri_length(RawUri),
         case couch_httpd_cors:is_preflight_request(HttpReq) of
         #httpd{} ->
@@ -382,6 +384,34 @@ handle_request_int(MochiReq, DefaultFun,
     couch_stats_collector:increment({httpd, requests}),
     {ok, Resp}.
 
+validate_host(#httpd{} = Req) ->
+    case couch_config:get("httpd", "validate_host", "false") of
+        "true" ->
+            Host = hostname(Req),
+            ValidHosts = valid_hosts(),
+            case lists:member(Host, ValidHosts) of
+                true ->
+                    ok;
+                false ->
+                    throw({bad_request, <<"Invalid host header">>})
+            end;
+        _ ->
+            ok
+    end.
+
+hostname(#httpd{} = Req) ->
+    case header_value(Req, "Host") of
+        undefined ->
+            undefined;
+        Host ->
+            [Name | _] = re:split(Host, ":[0-9]+$", [{parts, 2}, {return, list}]),
+            Name
+    end.
+
+valid_hosts() ->
+    List = couch_config:get("httpd", "valid_hosts", ""),
+    re:split(List, ",", [{return, list}]).
+
 check_request_uri_length(Uri) ->
     check_request_uri_length(Uri, couch_config:get("httpd", "max_uri_length")).
 

-- 
To stop receiving notification emails like this one, please contact
"commits@couchdb.apache.org" <co...@couchdb.apache.org>.