Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] How to prevent host header injection redirection in jetty 
Hi,

On Fri, Sep 27, 2019 at 4:08 PM Xiao Li <lixiao2007@xxxxxxxxx> wrote:
>
> I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request.  The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. http://host:port/myweb will be automatically redirected to http://host:port/myweb/ by jetty. If HOST header is injected in http request  http://host:port/myweb,  since the filter is not hit, the request will be redirected to a site specified in HOST header value.
>

Jetty would not know where to redirect to, unless you have configured
some Jetty Handler that does that.
If that is the case, then your option is to use a Jetty Handler in
front of the others (rather than a Filter) to perform your Host header
checks.
Alternatively, you remove the redirecting Jetty Handler and do
everything from Filters: one that does Host header checks, and a
following one that does redirection.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top