Skip to content

Fix http host/origin allowlist never matching configured values#813

Merged
evoskuil merged 1 commit into
libbitcoin:masterfrom
echennells:fix-host-allowlist-normalization
May 21, 2026
Merged

Fix http host/origin allowlist never matching configured values#813
evoskuil merged 1 commit into
libbitcoin:masterfrom
echennells:fix-host-allowlist-normalization

Conversation

@echennells
Copy link
Copy Markdown

@echennells echennells commented May 21, 2026

is_allowed_host/is_allowed_origin compared the request host (normalized via to_normal_host, which substitutes default_port when the port is zero) against the raw configured endpoints in options_.hosts/origins, which are not normalized. A configured value without an explicit port (e.g. host = localhost) therefore never matched any request because the request side carried default_port (80/443) while the configured side carried port 0.

Compare against host_names()/origin_names() instead, which apply the same to_lower(default_port) normalization to the configured values, so both sides are symmetric.

Verified on a node: with host = localhost configured, Host: localhost is now accepted (was rejected), while non-listed hosts are still rejected.

@echennells
Fix http host/origin allowlist never matching configured values
0694fba 
is_allowed_host/is_allowed_origin compared the request host (normalized
via to_normal_host, which substitutes default_port when the port is zero)
against the raw configured endpoints in options_.hosts/origins, which are
not normalized. A configured value without an explicit port (e.g.
host = localhost) therefore never matched any request — not even an
identical Host header — because the request side carried default_port
(80/443) while the configured side carried port 0.

Compare against host_names()/origin_names() instead, which apply the same
to_lower(default_port) normalization to the configured values, so both
sides are symmetric.

Verified on a live node: with host = localhost configured, Host: localhost
is now accepted (was rejected), while non-listed hosts are still rejected.
@evoskuil
Copy link
Copy Markdown
Member

evoskuil commented May 21, 2026
edited
Loading

This is at least the third time we have hit a namespace conflict due to xcode polluting the global namespace with a common word.

/Users/runner/work/libbitcoin-network/libbitcoin-network/libbitcoin-network/test/protocols/protocol.cpp:183:12: error: reference to 'session' is ambiguous
  183 |   : public session
      |            ^
/Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sys/proc.h:86:8: note: candidate found by name lookup is 'session'
   86 | struct session;

Workaround: a812ef2

@evoskuil evoskuil merged commit 3f082cb into libbitcoin:master May 21, 2026
12 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@echennells @evoskuil