[tbb-commits] [tor-browser/tor-browser-24.5.0esr-4.x-1] Make the CONNECT Host header the same as the Request-URI.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Jun 5 10:20:29 UTC 2014
commit dab5565168923a476dadc32e6cc093a77d704582
Author: David Fifield <david at bamsoftware.com>
Date: Sat May 31 16:59:11 2014 -0700
Make the CONNECT Host header the same as the Request-URI.
It's possible to construct a request where the Host header differs from
the authority in the URL, for example in an extension with
nsIHttpChannel and setRequestHeader. MakeConnectString generates a
host:port string for the CONNECT Request-Line, but peeks into the
tunneled request in order to copy the Host header to the proxy request.
Instead, use the same host:port string for Host as is used in the
Request-URI, to avoid revealing the plaintext of the Host header outside
of the tunnel.
Backport of https://hg.mozilla.org/mozilla-central/rev/a1f6458800d4.
---
netwerk/protocol/http/nsHttpConnection.cpp | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp
index 695f8a5..25ad335 100644
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@@ -1466,12 +1466,9 @@ nsHttpConnection::SetupProxyConnect()
request.SetHeader(nsHttp::Proxy_Connection, NS_LITERAL_CSTRING("keep-alive"));
request.SetHeader(nsHttp::Connection, NS_LITERAL_CSTRING("keep-alive"));
- val = mTransaction->RequestHead()->PeekHeader(nsHttp::Host);
- if (val) {
- // all HTTP/1.1 requests must include a Host header (even though it
- // may seem redundant in this case; see bug 82388).
- request.SetHeader(nsHttp::Host, nsDependentCString(val));
- }
+ // all HTTP/1.1 requests must include a Host header (even though it
+ // may seem redundant in this case; see bug 82388).
+ request.SetHeader(nsHttp::Host, buf);
val = mTransaction->RequestHead()->PeekHeader(nsHttp::Proxy_Authorization);
if (val) {
More information about the tbb-commits
mailing list