mod_restful assumes DNS name matches Host

jadahl / mod_restful

RESTful interface to ejabberd

84 stars 34 forks source link

mod_restful assumes DNS name matches Host #7

Closed taybin closed 12 years ago

taybin commented 12 years ago

in mod_restful:handle_request/3, Host is compared to:

true = lists:member(Host, ejabberd_config:get_global_option(hosts)),

However, shouldn't the hostname be ignored in favor of the Host header?

I can easily see having the xmpp domain foo.com running on a server bar.com. And then trying to access:

POST /api/admin
Host: foo.com

jadahl commented 12 years ago

What this line does is to make sure that the host specified in the HTTP request are one of the configured virtual hosts of ejabberd. That means if foo.com is running on bar.com, ejabberd_config:get_global_option(hosts) will return a list including "foo.com".

taybin commented 12 years ago

I'll take another look at the traffic to make sure the Host header was being sent correctly. Thank you.

taybin commented 12 years ago

Yes, it was a bad REST client that was changing the Host header out from under us.

jadahl commented 12 years ago

Great to hear the problem was solved.