Merge pull request #404 from clue-labs/require-host

Require Host request header for HTTP/1.1 requests

src/Io/RequestHeaderParser.php

@@ -168,6 +168,7 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
         }
 
         // default host if unset comes from local socket address or defaults to localhost
+        $hasHost = $host !== null;
         if ($host === null) {
             $host = isset($localParts['host'], $localParts['port']) ? $localParts['host'] . ':' . $localParts['port'] : '127.0.0.1';
         }
@@ -230,8 +231,8 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             $request = $request->withRequestTarget($start['target']);
         }
 
-        // Optional Host header value MUST be valid (host and optional port)
-        if ($request->hasHeader('Host')) {
+        if ($hasHost) {
+            // Optional Host request header value MUST be valid (host and optional port)
             $parts = \parse_url('http://' . $request->getHeaderLine('Host'));
 
             // make sure value contains valid host component (IP or hostname)
@@ -244,6 +245,12 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             if ($parts === false || $parts) {
                 throw new \InvalidArgumentException('Invalid Host header value');
             }
+        } elseif (!$hasHost && $start['version'] === '1.1' && $start['method'] !== 'CONNECT') {
+            // require Host request header for HTTP/1.1 (except for CONNECT method)
+            throw new \InvalidArgumentException('Missing required Host request header');
+        } elseif (!$hasHost) {
+            // remove default Host request header for HTTP/1.0 when not explicitly given
+            $request = $request->withoutHeader('Host');
         }
 
         // ensure message boundaries are valid according to Content-Length and Transfer-Encoding request headers
@@ -266,9 +273,6 @@ public function parseRequest($headers, $remoteSocketUri, $localSocketUri)
             }
         }
 
-        // always sanitize Host header because it contains critical routing information
-        $request = $request->withUri($request->getUri()->withUserInfo('u')->withUserInfo(''));
-
         return $request;
     }
 }

tests/Io/RequestHeaderParserTest.php

@@ -257,7 +257,7 @@ public function testHeaderEventWithShouldApplyDefaultAddressFromLocalConnectionA
         $connection->emit('data', array("GET /foo HTTP/1.0\r\n\r\n"));
 
         $this->assertEquals('http://127.1.1.1:8000/foo', $request->getUri());
-        $this->assertEquals('127.1.1.1:8000', $request->getHeaderLine('Host'));
+        $this->assertFalse($request->hasHeader('Host'));
     }
 
     public function testHeaderEventViaHttpsShouldApplyHttpsSchemeFromLocalTlsConnectionAddress()
@@ -550,7 +550,7 @@ public function testInvalidContentLengthRequestHeaderWillEmitError()
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nContent-Length: foo\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nContent-Length: foo\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -570,7 +570,7 @@ public function testInvalidRequestWithMultipleContentLengthRequestHeadersWillEmi
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nContent-Length: 4\r\nContent-Length: 5\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 4\r\nContent-Length: 5\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -590,7 +590,7 @@ public function testInvalidTransferEncodingRequestHeaderWillEmitError()
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nTransfer-Encoding: foo\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: foo\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(501, $error->getCode());
@@ -610,7 +610,7 @@ public function testInvalidRequestWithBothTransferEncodingAndContentLengthWillEm
         $connection = $this->getMockBuilder('React\Socket\Connection')->disableOriginalConstructor()->setMethods(null)->getMock();
         $parser->handle($connection);
 
-        $connection->emit('data', array("GET / HTTP/1.1\r\nTransfer-Encoding: chunked\r\nContent-Length: 0\r\n\r\n"));
+        $connection->emit('data', array("GET / HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: chunked\r\nContent-Length: 0\r\n\r\n"));
 
         $this->assertInstanceOf('InvalidArgumentException', $error);
         $this->assertSame(400, $error->getCode());
@@ -762,7 +762,7 @@ public function testQueryParmetersWillBeSet()
     private function createGetRequest()
     {
         $data = "GET / HTTP/1.1\r\n";
-        $data .= "Host: example.com:80\r\n";
+        $data .= "Host: example.com\r\n";
         $data .= "Connection: close\r\n";
         $data .= "\r\n";
 
@@ -772,7 +772,7 @@ private function createGetRequest()
     private function createAdvancedPostRequest()
     {
         $data = "POST /foo?bar=baz HTTP/1.1\r\n";
-        $data .= "Host: example.com:80\r\n";
+        $data .= "Host: example.com\r\n";
         $data .= "User-Agent: react/alpha\r\n";
         $data .= "Connection: close\r\n";
         $data .= "\r\n";