UNFINISHED: refuse conflicting host names

pajod · pajod · commit 38b728b977b3 · 2025-04-08T17:58:43.000+02:00
demand case-insensitive match of duplicate headers, or host header sent in url with absolute-form target UNFINISHED: This patch is not compliant with https://datatracker.ietf.org/doc/html/rfc9112#section-3.2.2-6 "When a proxy receives a request with an absolute-form of request-target, the proxy MUST ignore the received Host header field (if any) and instead replace it with the host information of the request-target."
diff --git a/gunicorn/http/message.py b/gunicorn/http/message.py
@@ -46,6 +46,7 @@ def __init__(self, cfg, unreader, peer_addr):
         self.scheme = "https" if cfg.is_ssl else "http"
         self.must_close = False
         self._expected_100_continue = False
+        self._seen_netloc = None
 
         # set headers limits
         self.limit_request_fields = cfg.limit_request_fields
@@ -136,6 +137,17 @@ def parse_headers(self, data, from_trailer=False):
             if header_length > self.limit_request_field_size > 0:
                 raise LimitRequestHeaders("limit request headers fields size")
 
+            if not from_trailer and name == "HOST":
+                # if we parse the URL and split it for the app
+                #  the app can hold us accountable to get this right
+                #  we cannot get it right when we see conflicting values
+                if self._seen_netloc is None:
+                    self._seen_netloc = value
+                else:
+                    # e.g. "HOST.com:443" != "host"
+                    if self._seen_netloc.lower().split(":",1)[0] != value.lower().split(":",1)[0]:
+                        raise InvalidHeader(name)
+
             if not from_trailer and name == "EXPECT":
                 # unquoted expectations are case-insensitive
                 if value.lower() == "100-continue":
@@ -465,6 +477,8 @@ def parse_request_line(self, line_bytes):
         self.path = parts.path or ""
         self.query = parts.query or ""
         self.fragment = parts.fragment or ""
+        if parts.netloc:
+            self._seen_netloc = parts.netloc
 
         # Version
         match = VERSION_RE.fullmatch(bits[2])
