* If the SNI extension supplied a hostname. So don't accept requests with

either no hostname or a different hostname. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757373 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2009-03-23 10:51:00 +00:00
parent 98e9873c17
commit d5897d537b
1 changed files with 25 additions and 5 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -160,11 +160,31 @@ int ssl_hook_ReadReq(request_rec *r)
        return DECLINED;
    }
 #ifndef OPENSSL_NO_TLSEXT
-    if (!r->hostname &&
-        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-        /* Use the SNI extension as the hostname if no Host: header was sent */
-        r->hostname = apr_pstrdup(r->pool, servername);
-        ap_update_vhost_from_headers(r);
+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+        char *host, *scope_id;
+        apr_port_t port;
+        apr_status_t rv;
+
+        /*
+         * The SNI extension supplied a hostname. So don't accept requests
+         * with either no hostname or a different hostname.
+         */
+        if (!r->hostname) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                        "Hostname %s provided via SNI, but no hostname"
+                        " provided in HTTP request", servername);
+            return HTTP_BAD_REQUEST;
+        }
+        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+        if (rv != APR_SUCCESS || scope_id) {
+            return HTTP_BAD_REQUEST;
+        }
+        if (strcmp(host, servername)) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                        "Hostname %s provided via SNI and hostname %s provided"
+                        " via HTTP are different", servername, host);
+            return HTTP_BAD_REQUEST;
+        }
    }
 #endif
    SSL_set_app_data2(ssl, r);