我有一个任务来减轻MVC应用程序中的主机标头注入。除其他外,我想通过创建HTTP模块来实现白名单检查。
到目前为止,我正在使用类似这样的东西:
web.config条目:
<system.webServer>
<modules>
<add name="TestHttpModule" type="MVC5TestApp.MyHttpModule,MVC5TestApp" />
</modules>
</system.webServer>
HTTP模块类:
public class MyHttpModule: IHttpModule
{
public MyHttpModule() {}
public void Init(HttpApplication application)
{
application.BeginRequest += new EventHandler(this.context_BeginRequest);
application.EndRequest += new EventHandler(this.context_EndRequest);
}
public void context_BeginRequest(object sender,EventArgs e)
{
CheckForHostHeaderInjection();
}
public void context_EndRequest(object sender,EventArgs e)
{
// some code
}
public void Dispose() {}
private void CheckForHostHeaderInjection()
{
// Currently,I am just comparing the following two ServerVariables.
// I will add a method to compare "HTTP_HOST" value against a whitelist later.
var httpHost = HttpContext.Current.Request.ServerVariables["HTTP_HOST"];
var serverName = HttpContext.Current.Request.ServerVariables["SERVER_NAME"];
if (!string.Equals(httpHost,serverName))
{
// What do I do in order to send back to the client a 400 Bad Request??
}
}
}