From 200e38acfb7685f5209f25bf0dcc98638943433a Mon Sep 17 00:00:00 2001
From: Michael Hanselmann <hansmi@google.com>
Date: Thu, 3 Dec 2009 16:20:34 +0100
Subject: [PATCH] http.server: Refuse HTTP/1.1 request without Host header

Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>
---
 lib/http/server.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/http/server.py b/lib/http/server.py
index bdcdcd25e..fbc7ec7fa 100644
--- a/lib/http/server.py
+++ b/lib/http/server.py
@@ -268,6 +268,14 @@ class HttpServerRequestExecutor(object):
         try:
           try:
             request_msg_reader = self._ReadRequest()
+
+            # RFC2616, 14.23: All Internet-based HTTP/1.1 servers MUST respond
+            # with a 400 (Bad Request) status code to any HTTP/1.1 request
+            # message which lacks a Host header field.
+            if (self.request_msg.start_line.version == http.HTTP_1_1 and
+                http.HTTP_HOST not in self.request_msg.headers):
+              raise http.HttpBadRequest(message="Missing Host header")
+
             self._HandleRequest()
 
             # Only wait for client to close if we didn't have any exception.
-- 
GitLab