Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   elog utility for submission used wrong 'Host:' in POST header, posted by Heiko Scheit on Mon Jul 11 19:04:38 2005 
    icon4.gif   Re: elog utility for submission used wrong 'Host:' in POST header, posted by Emiliano Gabrielli on Tue Jul 12 10:15:30 2005 
       icon2.gif   Re: elog utility for submission used wrong 'Host:' in POST header, posted by Stefan Ritt on Wed Jul 20 21:03:29 2005 
Message ID: 1260     Entry time: Tue Jul 12 10:15:30 2005     In reply to: 1259     Reply to this: 1283
Icon: Warning  Author: Emiliano Gabrielli  Author Email: AlberT@SuperAlberT.it 
Category: Bug fix  OS: Linux  ELOG Version: 2.5.9 
Subject: Re: elog utility for submission used wrong 'Host:' in POST header 
> The 'elog' utility for commandline submission used wrong 'Host:' in POST header.
> The host listed after 'Host:' should be the host where the server runs, not the
> localhost (see patch below).
>
> $ diff -u elog.c_20050711 elog.c
> --- elog.c_20050711 Mon Jul 11 18:54:20 2005
> +++ elog.c Mon Jul 11 18:55:31 2005
> @@ -421,7 +421,7 @@
> sprintf(request + strlen(request), "%s/%d?cmd=download", experiment, message_id);
> strcat(request, " HTTP/1.0\r\n");
>
> - sprintf(request + strlen(request), "Host: %s\r\n", host_name);
> + sprintf(request + strlen(request), "Host: %s\r\n", host);
> sprintf(request + strlen(request), "User-Agent: ELOG\r\n");
>
> first = 1;
> @@ -872,7 +872,7 @@
> strcat(request, " HTTP/1.0\r\n");
>
> sprintf(request + strlen(request), "Content-Type: multipart/form-data; boundary=%s\r\n", boundary);
> - sprintf(request + strlen(request), "Host: %s\r\n", host_name);
> + sprintf(request + strlen(request), "Host: %s\r\n", host);
> sprintf(request + strlen(request), "User-Agent: ELOG\r\n");
> sprintf(request + strlen(request), "Content-Length: %d\r\n", content_length);

This is not completally true IMHO .. better, it is, but it is not the only problem.

Elog seems to speak HTML/1.0, where "host:" is not implemented ... Since ELOG does not support Vhosts I think the right beaviour is to remove the "Host:" header at all ...

On the other hand it should replay with an error when a bogus client tries to speak HTML/1.0 specifing "host:",
and (the wrost case) when the bogus client says to speak HTML/1.1 and doesnt provide the required "Host:" header ...
Yes .. elog will ignore it, but it is an RFC requirement for HTML/1.1 !
ELOG V3.1.5-3fb85fa6