feat: do not use host header on http2 for guard (#3525)

* feat(guard): do not use host header on http2 for guard * docs: update changelog --------- Co-authored-by: Rob Ede <robjtede@icloud.com>
2025-05-19 07:23:17 +02:00 · 2025-05-10 04:42:00 +02:00 · 2025-05-10 04:42:00 +02:00 · 3147aaccc7
commit 3147aaccc7
parent 079400a72b
2 changed files with 35 additions and 1 deletions
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@ -6,6 +6,7 @@
 - Improve handling of non-UTF-8 header values in `Logger` middleware.
 - Add `HttpServer::shutdown_signal()` method.
 - Mark `HttpServer` as `#[must_use]`.
+- Ignore `Host` header in `Host` guard when connection protocol is HTTP/2.
 - Re-export `mime` dependency.
 - Update `brotli` dependency to `8`.

--- a/actix-web/src/guard/host.rs
+++ b/actix-web/src/guard/host.rs
@ -1,4 +1,4 @@
-use actix_http::{header, uri::Uri, RequestHead};
+use actix_http::{header, uri::Uri, RequestHead, Version};

 use super::{Guard, GuardContext};

@ -66,6 +66,7 @@ fn get_host_uri(req: &RequestHead) -> Option<Uri> {
    req.headers
        .get(header::HOST)
        .and_then(|host_value| host_value.to_str().ok())
+        .filter(|_| req.version < Version::HTTP_2)
        .or_else(|| req.uri.host())
        .and_then(|host| host.parse().ok())
 }
@ -123,6 +124,38 @@ mod tests {
    use super::*;
    use crate::test::TestRequest;

+    #[test]
+    fn host_not_from_header_if_http2() {
+        let req = TestRequest::default()
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let req = TestRequest::default()
+            .version(actix_http::Version::HTTP_2)
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(host.check(&req.guard_ctx()));
+    }
+
    #[test]
    fn host_from_header() {
        let req = TestRequest::default()