-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP requests with no Host header accepted #39033
Comments
This was actually raised a few years ago, here #3094 |
I read the issue. The discussion in the thread seemed to lean towards adding a check for the Host header, but then it was closed and the there is no check for the Host header as of today. What happened? What is the view of the nodejs team today regarding this? |
Author: PR-URL: nodejs#45597 Fixes: nodejs#39033 Co-authored-by: Luigi Pinca <luigipinca@gmail.com> Co-authored-by: mscdex <mscdex@users.noreply.github.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: nodejs#45597 Fixes: nodejs#39033 Co-authored-by: Luigi Pinca <luigipinca@gmail.com> Co-authored-by: mscdex <mscdex@users.noreply.github.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
I was just hit by this (an application suddenly stopped handling errors correctly) and I don't think this should have been merged. The 'http' module is not a complete implementation of HTTP, but merely of the HTTP/1.1 framing, and this rule is not one of those framing rules. Fully implementing the framing rules means is possible to receive a message, pass it, and the beginning of the next message will never be ambiguous, or misinterpreted by another (compliant) parser. There's many, many requirements in HTTP, for example that "An origin server MUST generate an Allow header field in a 405 (Method Not Allowed) response". Unless Node.js is going to start enforcing all of these, then the HTTP parser should limit itself to enforcing the message framing rules. (#34066 is such a requirement.) |
you can pass the option |
What steps will reproduce the bug?
This is a bug in the
http
module. If this is the wrong place to report this, please direct me to the right place.The following code sets up a simple hello world node server. It listens to port 8080:
If we send the following request with the command below (using echo and nc):
We get the following response:
How often does it reproduce? Is there a required condition?
It happens all the time.
What is the expected behavior?
The expected behavior is for node to answer with a 400 Bad Request response.
What do you see instead?
It answers with a 200 OK response.
Additional information
According to RFC 7230 a request containing no Host header should respond with a 400 (Bad Request).
"A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field [...]" - https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
(Found by Asta Olofsson and Mattias Grenfeldt)
The text was updated successfully, but these errors were encountered: