[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] How to prevent host header injection redirection in jetty
|
Hi,
On Fri, Sep 27, 2019 at 4:08 PM Xiao Li <lixiao2007@xxxxxxxxx> wrote:
>
> I have a filter in webdefault.xml. In the filter, I can compare HOST header value with a list of trusted host values. If the value in HOST header is not in the list, I fail the http request. The problem is that when 302 happens, the filter is not hit. For example, I have a web app say myweb. http://host:port/myweb will be automatically redirected to http://host:port/myweb/ by jetty. If HOST header is injected in http request http://host:port/myweb, since the filter is not hit, the request will be redirected to a site specified in HOST header value.
>
Jetty would not know where to redirect to, unless you have configured
some Jetty Handler that does that.
If that is the case, then your option is to use a Jetty Handler in
front of the others (rather than a Filter) to perform your Host header
checks.
Alternatively, you remove the redirecting Jetty Handler and do
everything from Filters: one that does Host header checks, and a
following one that does redirection.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.