Allow overriding the host header if doesn't match the absolute-form host (dotnet#39334)

* Allow overriding the host header if doesn't match the absolute-form host
* Apply suggestions from code review

Co-authored-by: Stephen Halter <[email protected]>

Author: 2 people

src/Servers/Kestrel/Core/src/Internal/Http/Http1Connection.cs

@@ -626,7 +626,22 @@ private void ValidateNonOriginHostHeader(string hostText)
                 if (!_absoluteRequestTarget.IsDefaultPort
                     || hostText != _absoluteRequestTarget.Authority + ":" + _absoluteRequestTarget.Port.ToString(CultureInfo.InvariantCulture))
                 {
-                    KestrelBadHttpRequestException.Throw(RequestRejectionReason.InvalidHostHeader, hostText);
+                    // Superseded by RFC 7230, but notable for back-compat.
+                    // https://datatracker.ietf.org/doc/html/rfc2616/#section-5.2
+                    //    1. If Request-URI is an absoluteURI, the host is part of the
+                    // Request-URI. Any Host header field value in the request MUST be
+                    // ignored.
+                    // We don't want to leave the invalid value for the app to accidentally consume,
+                    // replace it with the value from the request line.
+                    if (_context.ServiceContext.ServerOptions.EnableInsecureAbsoluteFormHostOverride)
+                    {
+                        hostText = _absoluteRequestTarget.Authority + ":" + _absoluteRequestTarget.Port.ToString(CultureInfo.InvariantCulture);
+                        HttpRequestHeaders.HeaderHost = hostText;
+                    }
+                    else
+                    {
+                        KestrelBadHttpRequestException.Throw(RequestRejectionReason.InvalidHostHeader, hostText);
+                    }
                 }
             }
         }

src/Servers/Kestrel/Core/src/KestrelServerOptions.cs

@@ -35,6 +35,21 @@ public class KestrelServerOptions
 
     private Func<string, Encoding?> _responseHeaderEncodingSelector = DefaultHeaderEncodingSelector;
 
+    private bool? _enableInsecureAbsoluteFormHostOverride;
+    internal bool EnableInsecureAbsoluteFormHostOverride
+    {
+        get
+        {
+            if (!_enableInsecureAbsoluteFormHostOverride.HasValue)
+            {
+                _enableInsecureAbsoluteFormHostOverride =
+                    AppContext.TryGetSwitch("Microsoft.AspNetCore.Server.Kestrel.EnableInsecureAbsoluteFormHostOverride", out var enabled) && enabled;
+            }
+            return _enableInsecureAbsoluteFormHostOverride.Value;
+        }
+        set => _enableInsecureAbsoluteFormHostOverride = value;
+    }
+
     // The following two lists configure the endpoints that Kestrel should listen to. If both lists are empty, the "urls" config setting (e.g. UseUrls) is used.
     internal List<ListenOptions> CodeBackedListenOptions { get; } = new List<ListenOptions>();
     internal List<ListenOptions> ConfigurationBackedListenOptions { get; } = new List<ListenOptions>();

src/Servers/Kestrel/test/InMemory.FunctionalTests/BadHttpRequestTests.cs

@@ -11,6 +11,7 @@
 using Microsoft.AspNetCore.Testing;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
 using Moq;
 using Xunit;
 using BadHttpRequestException = Microsoft.AspNetCore.Http.BadHttpRequestException;
@@ -140,6 +141,30 @@ public Task BadRequestIfHostHeaderDoesNotMatchRequestTarget(string requestTarget
             CoreStrings.FormatBadRequest_InvalidHostHeader_Detail(host.Trim()));
     }
 
+    [Fact]
+    public async Task CanOptOutOfBadRequestIfHostHeaderDoesNotMatchRequestTarget()
+    {
+        var receivedHost = StringValues.Empty;
+        await using var server = new TestServer(context =>
+        {
+            receivedHost = context.Request.Headers.Host;
+            return Task.CompletedTask;
+        }, new TestServiceContext(LoggerFactory)
+        {
+            ServerOptions = new KestrelServerOptions()
+            {
+                EnableInsecureAbsoluteFormHostOverride = true,
+            }
+        });
+        using var client = server.CreateConnection();
+
+        await client.SendAll($"GET http://www.foo.com/api/data HTTP/1.1\r\nHost: www.foo.comConnection: keep-alive\r\n\r\n");
+
+        await client.Receive("HTTP/1.1 200 OK");
+
+        Assert.Equal("www.foo.com:80", receivedHost);
+    }
+
     [Fact]
     public Task BadRequestFor10BadHostHeaderFormat()
     {