From 8f3b537547af9114416ff873228b2021995c9cea Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Thu, 28 Aug 2025 15:05:57 +0200 Subject: [PATCH] MEDIUM: proxy: Reject some header names for 'http-send-name-header' directive From time to time, we saw the 'http-send-name-header' directive used to overwrite the Host header to workaround limitations of a buggy application. Most of time, this led to troubles. This was never officially supported and each time we strongly discouraged anyone to do so. We already thought to deprecate this directive, but it seems to be still used by few people. So for now, we decided to strengthen the tests performed on it. The header name is now checked during the configuration parsing to forbid some risky names. 'Host', 'Content-Length', 'Transfer-Encoding' and 'Connection' header names are now rejected. But more headers could be added in future. --- doc/configuration.txt | 10 ++-------- src/cfgparse-listen.c | 9 +++++++++ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 99972f747..de3da7a2b 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8366,14 +8366,8 @@ http-send-name-header [
] very late in the connection setup, it may have unexpected effects on already modified headers. For example using it with transport-level header such as connection, content-length, transfer-encoding and so on will likely result in - invalid requests being sent to the server. Additionally it has been reported - that this directive is currently being used as a way to overwrite the Host - header field in outgoing requests; while this trick has been known to work - as a side effect of the feature for some time, it is not officially supported - and might possibly not work anymore in a future version depending on the - technical difficulties this feature induces. A long-term solution instead - consists in fixing the application which required this trick so that it binds - to the correct host name. + invalid requests being sent to the server. This is why following header names + are forbidden: host, content-length, transfer-encoding and connection. See also : "server" diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 07bb05012..b0d24be3a 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -1476,6 +1476,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) err_code |= ERR_ALERT | ERR_FATAL; goto out; } + if (strcasecmp(args[1], "host") == 0 || + strcasecmp(args[1], "content-length") == 0 || + strcasecmp(args[1], "transfer-encoding") == 0 || + strcasecmp(args[1], "connection") == 0) { + ha_alert("parsing [%s:%d] : '%s' cannot be used as header name for '%s' directive.\n", + file, linenum, args[1], args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } /* set the desired header name, in lower case */ istfree(&curproxy->server_id_hdr_name);