Require Host request header for HTTP/1.1 requests

All HTTP/1.1 requests require a Host request header as per RFC 7230. The
proxy CONNECT method is an exception to this rule because we do not want
to break compatibility with common HTTP proxy clients that do not
strictly follow the RFCs.

This does not affect valid HTTP/1.1 requests and has no effect on
HTTP/1.0 requests.

Additionally, make sure we do not include a default Host request header
in the parsed request object if the incoming request does not make use
of the Host request header.

Author: clue

src/Io/RequestHeaderParser.php

@@ -172,6 +172,7 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
         }
 
         // default host if unset comes from local socket address or defaults to localhost
+        $hasHost = $host !== null;
         if ($host === null) {
             $host = isset($localParts['host'], $localParts['port']) ? $localParts['host'] . ':' . $localParts['port'] : '127.0.0.1';
         }
@@ -234,8 +235,8 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             $request = $request->withRequestTarget($start['target']);
         }
 
-        // Optional Host header value MUST be valid (host and optional port)
-        if ($request->hasHeader('Host')) {
+        if ($hasHost) {
+            // Optional Host request header value MUST be valid (host and optional port)
             $parts = \parse_url('http://' . $request->getHeaderLine('Host'));
 
             // make sure value contains valid host component (IP or hostname)
@@ -248,6 +249,12 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             if ($parts === false || $parts) {
                 throw new \InvalidArgumentException('Invalid Host header value');
             }
+        } elseif (!$hasHost && $start['version'] === '1.1' && $start['method'] !== 'CONNECT') {
+            // require Host request header for HTTP/1.1 (except for CONNECT method)
+            throw new \InvalidArgumentException('Missing required Host request header');
+        } elseif (!$hasHost) {
+            // remove default Host request header for HTTP/1.0 when not explicitly given
+            $request = $request->withoutHeader('Host');
         }
 
         // ensure message boundaries are valid according to Content-Length and Transfer-Encoding request headers
@@ -270,9 +277,6 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             }
         }
 
-        // always sanitize Host header because it contains critical routing information
-        $request = $request->withUri($request->getUri()->withUserInfo('u')->withUserInfo(''));
-
         return $request;
     }
 }

tests/Io/RequestHeaderParserTest.php

@@ -257,7 +257,7 @@ public function testHeaderEventWithShouldApplyDefaultAddressFromLocalConnectionA
         $connection->emit('data', array("GET /foo HTTP/1.0\r\n\r\n"));
 
         $this->assertEquals('http://127.1.1.1:8000/foo', $request->getUri());
-        $this->assertEquals('127.1.1.1:8000', $request->getHeaderLine('Host'));
+        $this->assertFalse($request->hasHeader('Host'));
     }
 
     public function testHeaderEventViaHttpsShouldApplyHttpsSchemeFromLocalTlsConnectionAddress()
@@ -550,7 +550,7 @@ public function testInvalidContentLengthRequestHeaderWillEmitError()
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nContent-Length: foo\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nContent-Length: foo\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -570,7 +570,7 @@ public function testInvalidRequestWithMultipleContentLengthRequestHeadersWillEmi
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nContent-Length: 4\r\nContent-Length: 5\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 4\r\nContent-Length: 5\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -590,7 +590,7 @@ public function testInvalidTransferEncodingRequestHeaderWillEmitError()
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nTransfer-Encoding: foo\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: foo\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(501, $error->getCode());
@@ -610,7 +610,7 @@ public function testInvalidRequestWithBothTransferEncodingAndContentLengthWillEm
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nContent-Length: 0\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chunked\r\nContent-Length: 0\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -762,7 +762,7 @@ public function testQueryParmetersWillBeSet()
     private function createGetRequest()
     {
         $data = "GET / HTTP/1.1\r\n";
-        $data .= "Host: example.com:80\r\n";
+        $data .= "Host: example.com\r\n";
         $data .= "Connection: close\r\n";
         $data .= "\r\n";
 
@@ -772,7 +772,7 @@ private function createGetRequest()
     private function createAdvancedPostRequest()
     {
         $data = "POST /foo?bar=baz HTTP/1.1\r\n";
-        $data .= "Host: example.com:80\r\n";
+        $data .= "Host: example.com\r\n";
         $data .= "User-Agent: react/alpha\r\n";
         $data .= "Connection: close\r\n";
         $data .= "\r\n";