Search code examples
phpurlurl-routing

Odd HTTP URI Requests with Misplaced Periods

I received an error report from my system because of a request that looked like this:

https://www.example.com./

Note the added period before the third forward-slash.

I would not imagine this to be valid though the server says the $_SERVER['HTTP_HOST'] = www.example.net..

  • Is this technically valid?
  • Should I be using trim with odd characters to redirect to the actual host name URLs?
  • Are there other odd ways that an $_SERVER['HTTP_HOST'] could be requested that I should try to have my system compensate for?
Solution
    1. Yes, it's valid! check out https://stackoverflow.com./.
    2. Technically I believe the URIs are identical, so I don't know there's a strong reason to redirect from one to the other. If it works, I don't think I would touch this. Note that stackoverflow for example does not.
    3. The HTTP Host header is controlled by the client and could be any string. So if you're doing anything with that header, such as adding it to your HTML or a SQL string, you need to treat it like user input and escape. You should assume this for every header. It's always possible to do a request with CURL and change any of them.