Hello! The following patch series improves ngx_http_validate_host(). It now requires the Host header to be valid according to RFC 3986, instead of accepting more or less anything except ".." and "/". In particular, non-ASCII characters and invalid port numbers are no longer allowed in the Host header.
This also fixes "." not being stripped if port contained ".", which can be seen as an issue in some configurations, see https://github.com/freenginx/nginx/issues/11. At the same time, the patch series relaxes checks in request line parsing to actually accept hosts which are valid per RFC 3986 (and RFC 6874, IPv6 addresses with zone identifiers). Previously, much stricter rules were used, and some valid hosts were rejected in the request line - notably, hosts with "_", which are used in practice. This wasn't really noticed though, since the absolute form of the request URI isn't used much. Review and testing appreciated. -- Maxim Dounin
