reject request without the Host header

Author: Cycloctane

aiohttp/_http_parser.pyx

@@ -437,6 +437,7 @@ cdef class HttpParser:
     cdef _on_headers_complete(self):
         self._process_header()
 
+        http_version = self.http_version()
         should_close = not cparser.llhttp_should_keep_alive(self._cparser)
         upgrade = self._cparser.upgrade
         chunked = self._cparser.flags & cparser.F_CHUNKED
@@ -453,6 +454,8 @@ cdef class HttpParser:
             raise BadHttpMessage(f"Duplicate '{bad_hdr}' header found.")
 
         if self._cparser.type == cparser.HTTP_REQUEST:
+            if http_version == HttpVersion11 and hdrs.HOST not in headers:
+                raise BadHttpMessage("Missing 'Host' header in request.")
             h_upg = headers.get("upgrade", "")
             allowed = upgrade and h_upg.isascii() and h_upg.lower() in ALLOWED_UPGRADES
             if allowed or self._cparser.method == cparser.HTTP_CONNECT:
@@ -476,11 +479,11 @@ cdef class HttpParser:
             method = http_method_str(self._cparser.method)
             msg = _new_request_message(
                 method, self._path,
-                self.http_version(), headers, raw_headers,
+                http_version, headers, raw_headers,
                 should_close, encoding, upgrade, chunked, self._url)
         else:
             msg = _new_response_message(
-                self.http_version(), self._cparser.status_code, self._reason,
+                http_version, self._cparser.status_code, self._reason,
                 headers, raw_headers, should_close, encoding,
                 upgrade, chunked)
 

aiohttp/http_parser.py

@@ -41,7 +41,7 @@
     LineTooLong,
     TransferEncodingError,
 )
-from .http_writer import HttpVersion, HttpVersion10
+from .http_writer import HttpVersion, HttpVersion10, HttpVersion11
 from .streams import EMPTY_PAYLOAD, StreamReader
 from .typedefs import RawHeaders
 
@@ -627,6 +627,9 @@ def parse_message(self, lines: list[bytes]) -> RawRequestMessage:
             chunked,
         ) = self.parse_headers(lines[1:])
 
+        if version_o == HttpVersion11 and hdrs.HOST not in headers:
+            raise BadHttpMessage("Missing 'Host' header in request.")
+
         if close is None:  # then the headers weren't set in the request
             if version_o <= HttpVersion10:  # HTTP 1.0 must asks to not close
                 close = True

tests/test_http_parser.py

@@ -318,6 +318,12 @@ def test_duplicate_host_header_rejected(parser: HttpRequestParser) -> None:
         parser.feed_data(text)
 
 
+def test_missing_host_header_rejected(parser: HttpRequestParser) -> None:
+    text = b"GET /admin HTTP/1.1\r\n\r\n"
+    with pytest.raises(http_exceptions.BadHttpMessage, match="Missing 'Host' header"):
+        parser.feed_data(text)
+
+
 def test_bad_chunked(parser: HttpRequestParser) -> None:
     """Test that invalid chunked encoding doesn't allow content-length to be used."""
     text = (