From 40cbff9fd3913bb7d36e2c145367c740dfc2d47b Mon Sep 17 00:00:00 2001
From: David Goetz <dpgoetz@gmail.com>
Date: Thu, 12 Apr 2012 12:46:03 -0700
Subject: [PATCH] proxy to be able to deny request to invalid hostnames

Change-Id: I974f729da60e5ab9453daf9e52466b3e1af5c69b
---
 etc/proxy-server.conf-sample   |  2 ++
 swift/proxy/server.py          |  5 +++++
 test/unit/proxy/test_server.py | 13 +++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 148616bd3c..fea4818b0e 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -57,6 +57,8 @@ use = egg:swift#proxy
 # This is a comma separated list of account hashes that ignore the
 # max_containers_per_account cap.
 # max_containers_whitelist =
+# comma separated list of Host headers the proxy will be deny requests to
+# deny_host_headers =
 
 [filter:tempauth]
 use = egg:swift#tempauth
diff --git a/swift/proxy/server.py b/swift/proxy/server.py
index 1c9da3f12e..ec67789caf 100644
--- a/swift/proxy/server.py
+++ b/swift/proxy/server.py
@@ -1841,6 +1841,8 @@ class BaseApplication(object):
         self.max_containers_whitelist = [a.strip()
             for a in conf.get('max_containers_whitelist', '').split(',')
             if a.strip()]
+        self.deny_host_headers = [host.strip() for host in
+            conf.get('deny_host_headers', '').split(',') if host.strip()]
 
     def get_controller(self, path):
         """
@@ -1925,6 +1927,9 @@ class BaseApplication(object):
                 return HTTPPreconditionFailed(request=req, body='Invalid UTF8')
             if not controller:
                 return HTTPPreconditionFailed(request=req, body='Bad URL')
+            if self.deny_host_headers and \
+                    req.host.split(':')[0] in self.deny_host_headers:
+                return HTTPForbidden(request=req, body='Invalid host header')
 
             controller = controller(self, **path_parts)
             if 'swift.trans_id' not in req.environ:
diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py
index 4019b0408f..99a5015816 100644
--- a/test/unit/proxy/test_server.py
+++ b/test/unit/proxy/test_server.py
@@ -741,6 +741,19 @@ class TestProxyServer(unittest.TestCase):
         finally:
             rmtree(swift_dir, ignore_errors=True)
 
+    def test_denied_host_header(self):
+        swift_dir = mkdtemp()
+        try:
+            baseapp = proxy_server.BaseApplication({'swift_dir': swift_dir,
+                'deny_host_headers': 'invalid_host.com'},
+                FakeMemcache(), NullLoggingHandler(), FakeRing(), FakeRing(),
+                FakeRing())
+            resp = baseapp.handle_request(
+                Request.blank('/v1/a/c/o',
+                              environ={'HTTP_HOST': 'invalid_host.com'}))
+            self.assertEquals(resp.status, '403 Forbidden')
+        finally:
+            rmtree(swift_dir, ignore_errors=True)
 
 class TestObjectController(unittest.TestCase):