HTTP_HOST showing a comma separated list

**Rik Wasmus** · Mar 6 '08, 07:25 PM

Re: HTTP_HOST showing a comma separated list

On Thu, 06 Mar 2008 19:54:44 +0100, Hermann <Hermann.Richte r@gmail.com>
wrote:

I run a server with apache 1.3 and php 5.
Yesterday I notice that sometimes the HTTP_HOST server variable has a
comma separated list in it.
Let's say my domain name is: www.mydomain.com
>
Usually the HTTP_HOST value is of course "www.mydomain.c om".
>
But sometimes it is: "www.mydomain.c om, www.mydomain.co m".
>
Is that supposed to be a correct behabior??
And if it is, what would be the meaning of such a list of hosts??
>
And If this is a correct behavior, then that means we cannot longer
trust the HTTP_HOST value to make a full absolute URL. Like when you
do:
"http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ;

HTTP_HOST has the (user supplied) Host: header.

As I've never had any site that wasn't a virtual host, I normally use
$_SERVER['SERVER_NAME'] when I need it (which is only on header redirects,
for the remainder of the links I leave the whole protocol & domain portion
out of it).
--
Rik Wasmus

**Michael Fesser** · Mar 7 '08, 12:35 AM

Re: HTTP_HOST showing a comma separated list

..oO(Hermann)

>I run a server with apache 1.3 and php 5.
>Yesterday I notice that sometimes the HTTP_HOST server variable has a
>comma separated list in it.
>Let's say my domain name is: www.mydomain.com

Next time please use example.com or .org for giving example URLs. They
are explicitly reserved for that purpose and not in use for anything
else.

>Usually the HTTP_HOST value is of course "www.mydomain.c om".
>
>But sometimes it is: "www.mydomain.c om, www.mydomain.co m".
>
>Is that supposed to be a correct behabior??

No, it's not a valid hostname. If this was really sent by the client,
then IMHO the server should reject the request with "400 Bad Request".

Micha

**Hermann** · Mar 7 '08, 03:15 AM

Re: HTTP_HOST showing a comma separated list

On Mar 6, 9:32 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(Hermann)
>
Next time please use example.com or .org for giving example URLs. They
are explicitly reserved for that purpose and not in use for anything
else.

Thanks by the advice.

No, it's not a valid hostname. If this was really sent by the client,
then IMHO the server should reject the request with "400 Bad Request".

That's what I thought. What worries me is the fact that Apache
actually found a match between the CSV string and one of the virtual
hosts I have, otherwise my PHP script wouldn't have been executed in
the first place.

I'm gonna log the entire request header next time this happens and
post it here.

Thanks by your replies.

**Hermann** · Mar 8 '08, 08:45 PM

Re: HTTP_HOST showing a comma separated list

On Mar 8, 3:11 pm, Michael Fesser <neti...@gmx.de wrote:

Hmm, my local server responds with a redirect, containing the malformed
host name. After sending something like above I get:
>
HTTP/1.1 302 Found
Date: Sat, 08 Mar 2008 18:03:58 GMT
Server: Apache/2.2.3 (Debian) mod_jk/1.2.18
Location:http://www.example.com,www.example.com/apache2-default/

Oh.
This sounds like a bug. I wonder if it was reported already.

**Jerry Stuckle** · Mar 8 '08, 09:15 PM

Re: HTTP_HOST showing a comma separated list

Hermann wrote:

On Mar 8, 3:11 pm, Michael Fesser <neti...@gmx.de wrote:

>Hmm, my local server responds with a redirect, containing the malformed
>host name. After sending something like above I get:
>>
>HTTP/1.1 302 Found
>Date: Sat, 08 Mar 2008 18:03:58 GMT
>Server: Apache/2.2.3 (Debian) mod_jk/1.2.18
>Location:http://www.example.com,www.example.com/apache2-default/

>
Oh.
This sounds like a bug. I wonder if it was reported already.
>

Or, more likely, a bad configuration.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Rik Wasmus** · Mar 10 '08, 09:05 AM

Re: HTTP_HOST showing a comma separated list

On Sat, 08 Mar 2008 21:38:30 +0100, Hermann <Hermann.Richte r@gmail.com>
wrote:

On Mar 8, 3:11 pm, Michael Fesser <neti...@gmx.de wrote:

>Hmm, my local server responds with a redirect, containing the malformed
>host name. After sending something like above I get:
>>
>HTTP/1.1 302 Found
>Date: Sat, 08 Mar 2008 18:03:58 GMT
>Server: Apache/2.2.3 (Debian) mod_jk/1.2.18
>Location:http://www.example.com,www.example.com/apache2-default/

>
Oh.
This sounds like a bug. I wonder if it was reported already.

Well, not a PHP one. PHP explicitly states it just copies the Host: header
from the request (if there even is one). Wether or not there's garbage in
there doesn't matter to PHP, and shouldn't to you. Apache might use
it/have something to say about it/break with a certain configuration, but
that would be OT here, and of zero importants to your PHP scripts.

I say to you again: SERVER_NAME (which is NOT user supplied).
--
Rik Wasmus

**AnrDaemon** · Mar 11 '08, 03:15 AM

Re: HTTP_HOST showing a comma separated list

Greetings, Rik Wasmus.
In reply to Your message dated Monday, March 10, 2008, 11:59:38,

>>Hmm, my local server responds with a redirect, containing the malformed
>>host name. After sending something like above I get:
>>>
>>HTTP/1.1 302 Found
>>Date: Sat, 08 Mar 2008 18:03:58 GMT
>>Server: Apache/2.2.3 (Debian) mod_jk/1.2.18
>>Location:http://www.example.com,www.example.com/apache2-default/

>>
>Oh.
>This sounds like a bug. I wonder if it was reported already.

Well, not a PHP one. PHP explicitly states it just copies the Host: header
from the request (if there even is one). Wether or not there's garbage in
there doesn't matter to PHP, and shouldn't to you. Apache might use
it/have something to say about it/break with a certain configuration, but
that would be OT here, and of zero importants to your PHP scripts.

I say to you again: SERVER_NAME (which is NOT user supplied).

+ SERVER_PORT is that isn't 80.

--
Sincerely Yours, AnrDaemon <anrdaemon@free mail.ru>

HTTP_HOST showing a comma separated list

HTTP_HOST showing a comma separated list

Comment

Comment

Comment

Comment

Comment

Comment

Comment