Received: (qmail 26164 invoked by uid 501); 11 Sep 2000 20:28:16 -0000
Message-Id: <20000911202816.26163.qmail@locus.apache.org>
Date: 11 Sep 2000 20:28:16 -0000
From: Ron Murray <rjmx@bigfoot.com>
Reply-To: rjmx@bigfoot.com
To: submit@bugz.apache.org
Subject: Absolute URIs in a HTTP/1.0 request ignore supplied host
X-Send-Pr-Version: 3.110

>Number:         6516
>Category:       protocol
>Synopsis:       Absolute URIs in a HTTP/1.0 request ignore supplied host
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Sep 11 13:30:12 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     rjmx@bigfoot.com
>Release:        1.3.12
>Organization:
apache
>Environment:
Most any, as far as I can tell. Unix at least, anyway.
>Description:
   If an absolute URI is supplied in an HTTP/1.0 request, and the proxy is not
enabled, Apache will remove the host portion and deliver the rest of the URL.
For example, if I do
$ telnet some-server 80
GET http://some-other-server/path/file

   then Apache will return /path/file on some-server (if it exists), or a 404
if it doesn't. Naturally, if proxies are enabled, then it should return
some-other-server/path/file.

   I believe it should return a 404 whether or not the file exists on the local
server. RFC 1945 (the HTTP/1.0 RFC) states:
5.1.2 Request-URI

   The Request-URI is a Uniform Resource Identifier (Section 3.2) and
   identifies the resource upon which to apply the request.

       Request-URI    = absoluteURI | abs_path

   The two options for Request-URI are dependent on the nature of the
   request.

   The absoluteURI form is only allowed when the request is being made
   to a proxy.

   (etc etc)

....which seems to indicate that absolute URIs should be refused altogether
unless the proxy is enabled. I don't know if it's necessary to go this far,
but certainly requests for anything on a host other than the local host should
probably be refused.

 .....Ron

>How-To-Repeat:
telnet www.apache.org 80
GET http://www.rhubarb.com
(Normal Apache home page is delivered)

Expected behaviour: 404 not found (or similar)
>Fix:
Not at this stage. I'm not very familiar with the Apache sources yet!
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]