MEDIUM: proxy: Reject some header names for 'http-send-name-header' directive

capflam · capflam · commit 8f3b537547af · 2025-08-29T09:27:01.000+02:00
From time to time, we saw the 'http-send-name-header' directive used to
overwrite the Host header to workaround limitations of a buggy application.
Most of time, this led to troubles. This was never officially supported and
each time we strongly discouraged anyone to do so. We already thought to
deprecate this directive, but it seems to be still used by few people. So
for now, we decided to strengthen the tests performed on it.

The header name is now checked during the configuration parsing to forbid
some risky names. 'Host', 'Content-Length', 'Transfer-Encoding' and
'Connection' header names are now rejected. But more headers could be added
in future.
diff --git a/doc/configuration.txt b/doc/configuration.txt
@@ -8366,14 +8366,8 @@ http-send-name-header [<header>]
   very late in the connection setup, it may have unexpected effects on already
   modified headers. For example using it with transport-level header such as
   connection, content-length, transfer-encoding and so on will likely result in
-  invalid requests being sent to the server. Additionally it has been reported
-  that this directive is currently being used as a way to overwrite the Host
-  header field in outgoing requests; while this trick has been known to work
-  as a side effect of the feature for some time, it is not officially supported
-  and might possibly not work anymore in a future version depending on the
-  technical difficulties this feature induces. A long-term solution instead
-  consists in fixing the application which required this trick so that it binds
-  to the correct host name.
+  invalid requests being sent to the server. This is why following header names
+  are forbidden: host, content-length, transfer-encoding and connection.
 
   See also : "server"
 
diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
@@ -1476,6 +1476,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 			err_code |= ERR_ALERT | ERR_FATAL;
 			goto out;
 		}
+		if (strcasecmp(args[1], "host") == 0 ||
+		    strcasecmp(args[1], "content-length") == 0 ||
+		    strcasecmp(args[1], "transfer-encoding") == 0 ||
+		    strcasecmp(args[1], "connection") == 0) {
+			ha_alert("parsing [%s:%d] : '%s' cannot be used as header name for '%s' directive.\n",
+				 file, linenum, args[1], args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
 
 		/* set the desired header name, in lower case */
 		istfree(&curproxy->server_id_hdr_name);
