Properly parse HTTP host for verification

Also fix H2 transport to not verify if host is not defined
5 months ago · b8c0768b16
5 changed files with 22 additions and 6 deletions
--- a/transport/internet/http/config.go
+++ b/transport/internet/http/config.go
@ -1,8 +1,6 @@
 package http

 import (
-	"strings"
-
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/dice"
 	"github.com/xtls/xray-core/transport/internet"
@ -18,9 +16,12 @@ func (c *Config) getHosts() []string {
 }

 func (c *Config) isValidHost(host string) bool {
+	if len(c.Host) == 0 {
+		return true
+	}
 	hosts := c.getHosts()
 	for _, h := range hosts {
-		if strings.Contains(strings.ToLower(host), strings.ToLower(h)) {
+		if internet.IsValidHTTPHost(host, h) {
 			return true
 		}
 	}
--- a/transport/internet/httpupgrade/hub.go
+++ b/transport/internet/httpupgrade/hub.go
@ -39,7 +39,7 @@ func (s *server) Handle(conn net.Conn) (stat.Connection, error) {

 	if s.config != nil {
 		host := req.Host
-		if len(s.config.Host) > 0 && !strings.Contains(strings.ToLower(host), strings.ToLower(s.config.Host)) {
+		if len(s.config.Host) > 0 && !internet.IsValidHTTPHost(host, s.config.Host) {
 			return nil, errors.New("bad host: ", host)
 		}
 		path := s.config.GetNormalizedPath()
--- a/transport/internet/internet.go
+++ b/transport/internet/internet.go
@ -1,3 +1,18 @@
 package internet

+import (
+	"net"
+	"strings"
+)
+
 //go:generate go run github.com/xtls/xray-core/common/errors/errorgen
+
+func IsValidHTTPHost(request string, config string) bool {
+	r := strings.ToLower(request)
+	c := strings.ToLower(config)
+	if strings.Contains(r, ":") {
+		h, _, _ := net.SplitHostPort(r)
+		return h == c
+	}
+	return r == c
+}
--- a/transport/internet/splithttp/hub.go
+++ b/transport/internet/splithttp/hub.go
@ -72,7 +72,7 @@ func (h *requestHandler) upsertSession(sessionId string) *httpSession {
 }

 func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
-	if len(h.host) > 0 && !strings.Contains(strings.ToLower(request.Host), strings.ToLower(h.host)) {
+	if len(h.host) > 0 && !internet.IsValidHTTPHost(request.Host, h.host) {
 		errors.LogInfo(context.Background(), "failed to validate host, request:", request.Host, ", config:", h.host)
 		writer.WriteHeader(http.StatusNotFound)
 		return
--- a/transport/internet/websocket/hub.go
+++ b/transport/internet/websocket/hub.go
@ -38,7 +38,7 @@ var upgrader = &websocket.Upgrader{
 }

 func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
-	if len(h.host) > 0 && !strings.Contains(strings.ToLower(request.Host), strings.ToLower(h.host)) {
+	if len(h.host) > 0 && !internet.IsValidHTTPHost(request.Host, h.host) {
 		errors.LogInfo(context.Background(), "failed to validate host, request:", request.Host, ", config:", h.host)
 		writer.WriteHeader(http.StatusNotFound)
 		return