Welcome! Log In Create A New Profile

Re: Is $http_host dangerous?

Forum List Message List New Topic Print View

Francis Daly

May 27, 2012 08:30PM

On Sun, May 27, 2012 at 06:16:06PM -0400, x7311 wrote:

Hi there,

> Actually, I should reconsider my position on this after reading this:
> http://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma

That page seems to be about variables made available by the PHP
implementation in apache.

In nginx, PHP is (typically) accessed using fastcgi, so the $_SERVER
variables are exactly what is set in (again, typically) fastcgi.conf.

HTTP_HOST is "the Host: header, if any". SERVER_NAME from nginx is "the
first element of server_name", but from apache appeared to depend on the
Host: header.

For both apache and nginx, HTTP_* come straight from the user, and some
other variables come from the server admin.

> I am not sure how nginx reacts to that, but according to you Francis,
> you seems to be inline with Chris Shiflett that neither is safe nor
> insecure. They are pretty much the same thing.

Agreed. Once you know what the variables represent, you can decide what
is the appropriate one for your use case.

It is not difficult to construct a scenario in nginx where $server_name
is "one", $http_host is "two", and $host is "three". But that's unlikely
to be done by an innocent user.

> Under one circumstances, can you think of a way to exploit when using
> $http_host?

Using $http_host instead of $host?

Pick any circumstance where they are different, and the difference
matters. A simple one is "root /var/www/$http_host". Now "curl
http://public/" and "curl http://PUBLIC/" will probably return different
content, where "root /var/www/$host" would have returned the same.

Or

echo 'GET http://public/ HTTP/1.0
Host: private

' | nc public 80

would also probably return different content (and that one might also
"work" for "proxy_set_header Host $http_host" to an upstream server).

It depends on how the variables are used. And it can probably all be
avoided by appropriate configuration elsewhere.

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Is $http_host dangerous?	jwxie	May 26, 2012 07:00PM
Re: Is $http_host dangerous?	Francis Daly	May 27, 2012 07:24AM
Re: Is $http_host dangerous?	x7311	May 27, 2012 05:56PM
Re: Is $http_host dangerous?	x7311	May 27, 2012 06:16PM
Re: Is $http_host dangerous?	Francis Daly	May 27, 2012 07:22PM
Re: Is $http_host dangerous?	Francis Daly	May 27, 2012 08:30PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 155

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018