Corrected Host header handling (fixes #2477)

src/weighttp.c

@@ -76,9 +76,11 @@ static char *forge_request(char *url, char keep_alive, char **host, uint16_t *po
 	uint32_t len;
 	uint8_t i;
 	uint8_t have_user_agent;
+	char *header_host;
 
 	*host = NULL;
 	*port = 0;
+	header_host = NULL;
 
 	if (strncmp(url, "http://", 7) == 0)
 		url += 7;
@@ -137,6 +139,25 @@ static char *forge_request(char *url, char keep_alive, char **host, uint16_t *po
 
 	have_user_agent = 0;
 	for (i = 0; i < headers_num; i++) {
+		if (strncmp(headers[i], "Host:", sizeof("Host:")-1) == 0) {
+			if (header_host) {
+				W_ERROR("%s", "Duplicate Host header");
+				free(*host);
+				return NULL;
+			}
+			header_host = headers[i] + 5;
+			if (*header_host == ' ')
+				header_host++;
+
+			if (strlen(header_host) == 0) {
+				W_ERROR("%s", "Invalid Host header");
+				free(*host);
+				return NULL;
+			}
+
+			len += strlen(header_host);
+			continue;
+		}
 		len += strlen(headers[i]) + strlen("\r\n");
 		if (strncmp(headers[i], "User-Agent: ", sizeof("User-Agent: ")-1) == 0)
 			have_user_agent = 1;
@@ -150,9 +171,13 @@ static char *forge_request(char *url, char keep_alive, char **host, uint16_t *po
 	strcpy(req, "GET ");
 	strcat(req, url);
 	strcat(req, " HTTP/1.1\r\nHost: ");
-	strcat(req, *host);
+	if (header_host) {
-	if (*port != 80)
+		strcat(req, header_host);
-		sprintf(req + strlen(req), ":%"PRIu16, *port);
+	} else {
+		strcat(req, *host);
+		if (*port != 80)
+			sprintf(req + strlen(req), ":%"PRIu16, *port);
+	}
 
 	strcat(req, "\r\n");
 
@@ -160,6 +185,8 @@ static char *forge_request(char *url, char keep_alive, char **host, uint16_t *po
 		sprintf(req + strlen(req), "User-Agent: weighttp/" VERSION "\r\n");
 
 	for (i = 0; i < headers_num; i++) {
+		if (strncmp(headers[i], "Host:", sizeof("Host:")-1) == 0)
+			continue;
 		strcat(req, headers[i]);
 		strcat(req, "\r\n");
 	}