[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100

A. Schulze sca at andreasschulze.de
Fri Apr 3 12:58:22 CEST 2015


Christian Mehlmauer:

> So using the $host variable should be avoided were possible in my opinion
+1
We currently do not know how to exploit that. But maybe one day ...

If a webserver should redirect (from A) to B, why should I trust any  
user really ask for A?
Just send the intended answer ...
No matter of encryption or other stuff. Simply don't use user input  
where it's not needed.

Using $host has only one major benefit: it's easier to write/read in  
documentation.

Andreas




More information about the Ach mailing list