You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2017/10/08 16:42:18 UTC
[couchdb] 01/01: Backport validate host feature
This is an automated email from the ASF dual-hosted git repository.
jan pushed a commit to branch merge-kxepal-2752-validate-host
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 279f5b181e1136b57a291b68ec1c50b09ee85445
Author: Alexander Shorin <kx...@apache.org>
AuthorDate: Thu Aug 13 03:45:35 2015 +0300
Backport validate host feature
This includes:
https://git-wip-us.apache.org/repos/asf?p=couchdb-couch.git;h=fcd24e73d6
https://git-wip-us.apache.org/repos/asf?p=couchdb-couch.git;h=a5232be86d
COUCHDB-2752
---
src/couchdb/couch_httpd.erl | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
index 42ee783..9a6bf3a 100644
--- a/src/couchdb/couch_httpd.erl
+++ b/src/couchdb/couch_httpd.erl
@@ -32,6 +32,7 @@
-export([accepted_encodings/1,handle_request_int/5,validate_referer/1,validate_ctype/2]).
-export([http_1_0_keep_alive/2]).
-export([validate_bind_address/1]).
+-export([validate_host/1]).
start_link() ->
start_link(http).
@@ -320,6 +321,7 @@ handle_request_int(MochiReq, DefaultFun,
{ok, Resp} =
try
+ validate_host(HttpReq),
check_request_uri_length(RawUri),
case couch_httpd_cors:is_preflight_request(HttpReq) of
#httpd{} ->
@@ -382,6 +384,34 @@ handle_request_int(MochiReq, DefaultFun,
couch_stats_collector:increment({httpd, requests}),
{ok, Resp}.
+validate_host(#httpd{} = Req) ->
+ case couch_config:get("httpd", "validate_host", "false") of
+ "true" ->
+ Host = hostname(Req),
+ ValidHosts = valid_hosts(),
+ case lists:member(Host, ValidHosts) of
+ true ->
+ ok;
+ false ->
+ throw({bad_request, <<"Invalid host header">>})
+ end;
+ _ ->
+ ok
+ end.
+
+hostname(#httpd{} = Req) ->
+ case header_value(Req, "Host") of
+ undefined ->
+ undefined;
+ Host ->
+ [Name | _] = re:split(Host, ":[0-9]+$", [{parts, 2}, {return, list}]),
+ Name
+ end.
+
+valid_hosts() ->
+ List = couch_config:get("httpd", "valid_hosts", ""),
+ re:split(List, ",", [{return, list}]).
+
check_request_uri_length(Uri) ->
check_request_uri_length(Uri, couch_config:get("httpd", "max_uri_length")).
--
To stop receiving notification emails like this one, please contact
"commits@couchdb.apache.org" <co...@couchdb.apache.org>.