[PATCH 0 of 4] host validation cleanup
Maxim Dounin
mdounin at mdounin.ru
Mon Aug 18 23:51:32 UTC 2025
Hello!
The following patch series improves ngx_http_validate_host(). It now
requires the Host header to be valid according to RFC 3986, instead of
accepting more or less anything except ".." and "/". In particular,
non-ASCII characters and invalid port numbers are no longer allowed
in the Host header.
This also fixes "." not being stripped if port contained ".", which can
be seen as an issue in some configurations, see
https://github.com/freenginx/nginx/issues/11.
At the same time, the patch series relaxes checks in request line parsing
to actually accept hosts which are valid per RFC 3986 (and RFC 6874,
IPv6 addresses with zone identifiers). Previously, much stricter rules
were used, and some valid hosts were rejected in the request line - notably,
hosts with "_", which are used in practice. This wasn't really noticed
though, since the absolute form of the request URI isn't used much.
Review and testing appreciated.
--
Maxim Dounin
More information about the nginx-devel
mailing list