[jetty-users] How to prevent host header injection redirection in jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] How to prevent host header injection redirection in jetty

From: Xiao Li <lixiao2007@xxxxxxxxx>
Date: Fri, 27 Sep 2019 10:07:19 -0400
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request. The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. http://host:port/myweb will be automatically redirected to http://host:port/myweb/ by jetty. If HOST header is injected in http request http://host:port/myweb, since the filter is not hit, the request will be redirected to a site specified in HOST header value.

What can I do about this?

Thank you.

Follow-Ups:
- Re: [jetty-users] How to prevent host header injection redirection in jetty
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] Jetty http2 client request hangs indefinitely
Next by Date: Re: [jetty-users] How to prevent host header injection redirection in jetty
Previous by thread: [jetty-users] Memory leak in Conscrypt with Jetty.
Next by thread: Re: [jetty-users] How to prevent host header injection redirection in jetty
Index(es):
- Date
- Thread

Breadcrumbs