From 5f9be5933f3d77fd8bf548f556f8f512f7d7695f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 12 Jan 2026 21:54:21 +0100 Subject: [PATCH] htp: checks a hostname does not begin with a slash Ticket: 7851 If it does, it is an URI, not a valid host name --- htp/htp_util.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/htp/htp_util.c b/htp/htp_util.c index 936e22b0..e14d1956 100644 --- a/htp/htp_util.c +++ b/htp/htp_util.c @@ -623,6 +623,12 @@ htp_status_t htp_parse_hostport(bstr *hostport, bstr **hostname, bstr **port, in unsigned char *colon = memchr(data, ':', len); if (colon == NULL) { // Hostname alone, no port. + if (data[0] == '/' && (len == 1 || data[1] != '/')) { + //If it starts with "//", we should skip (might have parsed a scheme and no creds) + //If it starts with '/', this is a path, not a hostname + *invalid = 1; + return HTP_OK; + } *hostname = bstr_dup_mem(data, len); if (*hostname == NULL) return HTP_ERROR;