Skip to content

Commit b0111b9

Browse files
committed
fix: ensure Host header is set in unsafe mode for rawhttp requests
1 parent 7b8fd15 commit b0111b9

2 files changed

Lines changed: 5 additions & 1 deletion

File tree

common/httpx/httpx.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -424,6 +424,11 @@ func (h *HTTPX) SetCustomHeaders(r *retryablehttp.Request, headers map[string]st
424424
switch strings.ToLower(name) {
425425
case "host":
426426
r.Host = value
427+
// In unsafe mode (rawhttp), the Host header must be explicitly set in req.Header
428+
// because rawhttp uses req.Header directly and doesn't check req.Host
429+
if h.Options.Unsafe {
430+
r.Header.Set("Host", value)
431+
}
427432
case "cookie":
428433
// cookies are set in the default branch, and reset during the follow redirect flow
429434
fallthrough

runner/runner.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1640,7 +1640,6 @@ retry:
16401640
if target.CustomHost != "" {
16411641
req.Host = target.CustomHost
16421642
}
1643-
16441643
if !scanopts.LeaveDefaultPorts {
16451644
switch {
16461645
case protocol == httpx.HTTP && strings.HasSuffix(req.Host, ":80"):

0 commit comments

Comments
 (0)