From 1d4c4128cf111085c25c2a3002c3c4b4456a0491 Mon Sep 17 00:00:00 2001
From: Tony Finch <fanf@apache.org>
Date: Wed, 18 Oct 2000 04:48:34 +0000
Subject: [PATCH] Tighten up the syntax checking of Host: headers to fix a
 security bug in some mass virtual hosting configurations that can allow a
 remote attacker to retrieve some files on the system that should be
 inaccessible. The problem occured with requests including the line "Host:
 ..." -- the last dot is stripped and the remaining ".." then reveals a parent
 directory.

Reported by: Peter Christoffersen <pch@mindpass.com>
Message-ID: <8quts6$2el$1@news.inet.tele.dk>
Newsgroups: comp.infosystems.www.servers.unix


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86637 13f79535-47bb-0310-9956-ffa450edef68
---
 server/vhost.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/vhost.c b/server/vhost.c
index 95c3bb9ef9..4954c2aaf4 100644
--- a/server/vhost.c
+++ b/server/vhost.c
@@ -714,7 +714,14 @@ static void fix_hostname(request_rec *r)
     src = r->hostname;
     dst = host;
     while (*src) {
-	if (!apr_isalnum(*src) && *src != '.' && *src != '-') {
+	if (!apr_isalnum(*src) && *src != '-') {
+	    if (*src == '.') {
+		*dst++ = *src++;
+		if (*src == '.')
+		    goto bad;
+		else
+		    continue;
+	    }
 	    if (*src == ':')
 		break;
 	    else
-- 
2.50.1