Try to avoid host header misconfigurations in check_signature().

2024-09-19 18:00:23 +03:00 · 2024-01-03 09:22:07 +01:00 · 2024-01-03 09:22:07 +01:00 · 607335aa74
commit 607335aa74
parent 6bd8aed25d
1 changed files with 13 additions and 0 deletions
--- a/http.c
+++ b/http.c
@ -223,6 +223,19 @@ int check_signature(xs_dict *req, xs_str **err)
            if (strcmp(v, "(expires)") == 0) {
                ss = xs_fmt("%s: %s", v, expires);
            }
+            else
+            if (strcmp(v, "host") == 0) {
+                hc = xs_dict_get(req, "host");
+
+                /* if there is no host header or some garbage like
+                   address:host has arrived here due to misconfiguration,
+                   signature verify will totally fail, so let's Leroy Jenkins
+                   with the global server hostname instead */
+                if (hc == NULL || xs_str_in(hc, ":") != -1)
+                    hc = xs_dict_get(srv_config, "host");
+
+                ss = xs_fmt("host: %s", hc);
+            }
            else {
                /* add the header */
                if ((hc = xs_dict_get(req, v)) == NULL) {