From 607335aa741d01230bde873adf420b2cf85ce89f Mon Sep 17 00:00:00 2001 From: default Date: Wed, 3 Jan 2024 09:22:07 +0100 Subject: [PATCH] Try to avoid host header misconfigurations in check_signature(). --- http.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/http.c b/http.c index da613ec..16b15c8 100644 --- a/http.c +++ b/http.c @@ -223,6 +223,19 @@ int check_signature(xs_dict *req, xs_str **err) if (strcmp(v, "(expires)") == 0) { ss = xs_fmt("%s: %s", v, expires); } + else + if (strcmp(v, "host") == 0) { + hc = xs_dict_get(req, "host"); + + /* if there is no host header or some garbage like + address:host has arrived here due to misconfiguration, + signature verify will totally fail, so let's Leroy Jenkins + with the global server hostname instead */ + if (hc == NULL || xs_str_in(hc, ":") != -1) + hc = xs_dict_get(srv_config, "host"); + + ss = xs_fmt("host: %s", hc); + } else { /* add the header */ if ((hc = xs_dict_get(req, v)) == NULL) {