Skip to content

Commit

Permalink
fix: Do not include user information in Host header
Browse files Browse the repository at this point in the history 
According to RFC 9110, section 7.2, the Host header should only comprise
the URI host and an optional port.

Currently, the examples set the Host header to the URI's authority which
may also contain user information (see RFC 3986, section 3.2).

Update the examples to construct the Host header manually to avoid
sensitive information from showing up in server logs and to ensure that
the server's routing logic works correctly when a username and password
are supplied.
  • Loading branch information
@tindzk
tindzk committed Apr 5, 2024
1 parent df33d4d commit 2741b5b
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 8 deletions.
7 changes: 5 additions & 2 deletions examples/client.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,15 @@ async fn fetch_url(url: hyper::Uri) -> Result<()> {
}
});

let authority = url.authority().unwrap().clone();
let host_header = match (url.host(), url.port_u16()) {
(Some(host), Some(port)) => format!("{}:{}", host, port),
_ => url.host().unwrap().to_string(),
};

let path = url.path();
let req = Request::builder()
.uri(path)
.header(hyper::header::HOST, authority.as_str())
.header(hyper::header::HOST, host_header)
.body(Empty::<Bytes>::new())?;

let mut res = sender.send_request(req).await?;
Expand Down
7 changes: 5 additions & 2 deletions examples/client_json.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,15 @@ async fn fetch_json(url: hyper::Uri) -> Result<Vec<User>> {
}
});

let authority = url.authority().unwrap().clone();
let host_header = match (url.host(), url.port_u16()) {
(Some(host), Some(port)) => format!("{}:{}", host, port),
_ => url.host().unwrap().to_string(),
};

// Fetch the url...
let req = Request::builder()
.uri(url)
.header(hyper::header::HOST, authority.as_str())
.header(hyper::header::HOST, host_header)
.body(Empty::<Bytes>::new())?;

let res = sender.send_request(req).await?;
Expand Down
14 changes: 10 additions & 4 deletions examples/single_threaded.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,13 +181,16 @@ async fn http1_client(url: hyper::Uri) -> Result<(), Box<dyn std::error::Error>>
}
});

let authority = url.authority().unwrap().clone();
let host_header = match (url.host(), url.port_u16()) {
(Some(host), Some(port)) => format!("{}:{}", host, port),
_ => url.host().unwrap().to_string(),
};

// Make 4 requests
for _ in 0..4 {
let req = Request::builder()
.uri(url.clone())
.header(hyper::header::HOST, authority.as_str())
.header(hyper::header::HOST, &host_header)
.body(Body::from("test".to_string()))?;

let mut res = sender.send_request(req).await?;
Expand Down Expand Up @@ -282,13 +285,16 @@ async fn http2_client(url: hyper::Uri) -> Result<(), Box<dyn std::error::Error>>
}
});

let authority = url.authority().unwrap().clone();
let host_header = match (url.host(), url.port_u16()) {
(Some(host), Some(port)) => format!("{}:{}", host, port),
_ => url.host().unwrap().to_string(),
};

// Make 4 requests
for _ in 0..4 {
let req = Request::builder()
.uri(url.clone())
.header(hyper::header::HOST, authority.as_str())
.header(hyper::header::HOST, &host_header)
.body(Body::from("test".to_string()))?;

let mut res = sender.send_request(req).await?;
Expand Down

0 comments on commit 2741b5b

Please sign in to comment.