From 228fd81e964a101e33270b555128fb48e3b7b28f Mon Sep 17 00:00:00 2001
From: Joel Wurtz <jwurtz@jolicode.com>
Date: Tue, 10 Dec 2024 12:35:57 +0100
Subject: [PATCH] feat(guard): do not use host header on http2 for guard

---
 actix-web/CHANGES.md        |  1 +
 actix-web/src/guard/host.rs | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/actix-web/CHANGES.md b/actix-web/CHANGES.md
index cee14dc4b..12259bc8c 100644
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@@ -5,6 +5,7 @@
 - On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use.
 - Update `brotli` dependency to `7`.
 - Minimum supported Rust version (MSRV) is now 1.75.
+- Guard Host does not use Host header anymore when on HTTP/2, it only use authority pseudo header.
 
 ## 4.9.0
 
diff --git a/actix-web/src/guard/host.rs b/actix-web/src/guard/host.rs
index a971a3e30..e3c6640fe 100644
--- a/actix-web/src/guard/host.rs
+++ b/actix-web/src/guard/host.rs
@@ -66,6 +66,7 @@ fn get_host_uri(req: &RequestHead) -> Option<Uri> {
     req.headers
         .get(header::HOST)
         .and_then(|host_value| host_value.to_str().ok())
+        .filter(|_| req.version < actix_http::Version::HTTP_2)
         .or_else(|| req.uri.host())
         .and_then(|host| host.parse().ok())
 }
@@ -123,6 +124,38 @@ mod tests {
     use super::*;
     use crate::test::TestRequest;
 
+    #[test]
+    fn host_not_from_header_if_http2() {
+        let req = TestRequest::default()
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let req = TestRequest::default()
+            .version(actix_http::Version::HTTP_2)
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(host.check(&req.guard_ctx()));
+    }
+
     #[test]
     fn host_from_header() {
         let req = TestRequest::default()