Scheme https is forced for -vhost-input even when using -no-fallback-scheme #2020

noaho · 2024-12-03T10:10:06Z

httpx version:

v1.6.9

Current Behavior:

When using -vhost-input, httpx forces HTTPS scheme even when HTTP is specified in the input URLs. This happens even with -no-fallback-scheme.

Not using -vhost-input, scheme is http (good)

httpx -json -u "http://www.example.com" -silent -no-fallback-scheme | jq
{
  "timestamp": "2024-12-03T17:08:15.874979843+07:00",
  "port": "80",
  "url": "http://www.example.com",
  "input": "http://www.example.com",
  "title": "Example Domain",
  "scheme": "http",
  "webserver": "ECAcc (lac/558D)",
  "content_type": "text/html",
  "method": "GET",
  "host": "93.184.215.14",
  "path": "/",
  "time": "515.297047ms",
  "a": [
    "93.184.215.14"
  ],
  "aaaa": [
    "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
  ],
  "tech": [
    "Azure",
    "Azure CDN"
  ],
  "words": 298,
  "lines": 46,
  "status_code": 200,
  "content_length": 1256,
  "failed": false,
  "knowledgebase": {
    "PageType": "nonerror",
    "pHash": 0
  },
  "resolvers": [
    "1.0.0.1:53",
    "8.8.8.8:53"
  ]
}

Using vhost-input, scheme is always https (bad)

echo '"http://www.example2.org",http://www.example.com' | httpx -silent -vhost-input -json -no-fallback-scheme | jq

{
  "timestamp": "2024-12-03T17:09:04.854977383+07:00",
  "port": "443",
  "url": "https://www.example.com",
  "input": "\"http://www.example2.org\",http://www.example.com",
  "title": "404 - Not Found",
  "scheme": "https",
  "webserver": "ECAcc (lac/55D2)",
  "content_type": "text/html",
  "method": "GET",
  "host": "93.184.215.14",
  "path": "/",
  "time": "2.565392004s",
  "a": [
    "93.184.215.14"
  ],
  "aaaa": [
    "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
  ],
  "tech": [
    "Azure",
    "Azure CDN"
  ],
  "words": 27,
  "lines": 11,
  "status_code": 404,
  "content_length": 345,
  "failed": false,
  "knowledgebase": {
    "PageType": "error",
    "pHash": 0
  },
  "resolvers": [
    "1.0.0.1:53",
    "8.8.8.8:53"
  ]
}

Expected Behavior:

The scheme should be the same for both input methods, taken from the input URL.

Steps To Reproduce:

echo '"http://www.example2.org",http://www.example.com' | httpx -silent -vhost-input -json -no-fallback-scheme

Cheers!

noaho · 2024-12-04T07:11:33Z

Hey thanks for the amazing quick response!

I tested using
go install github.com/projectdiscovery/httpx/cmd/httpx@ff00cee

Unfortunately it doesn't seem to respond at all with -vhost-input now..

echo '"http://www.example2.org",http://www.example.com' | httpx -silent -vhost-input -json -no-fallback-scheme
<no output>

noaho added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Dec 3, 2024

dogancanbakir self-assigned this Dec 3, 2024

dogancanbakir linked a pull request Dec 3, 2024 that will close this issue

fix stdin parsing #2021

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scheme https is forced for -vhost-input even when using -no-fallback-scheme #2020

Scheme https is forced for -vhost-input even when using -no-fallback-scheme #2020

noaho commented Dec 3, 2024

noaho commented Dec 4, 2024

Scheme https is forced for -vhost-input even when using -no-fallback-scheme #2020

Scheme https is forced for -vhost-input even when using -no-fallback-scheme #2020

Comments

noaho commented Dec 3, 2024

httpx version:

Current Behavior:

Not using -vhost-input, scheme is http (good)

Using vhost-input, scheme is always https (bad)

Expected Behavior:

Steps To Reproduce:

noaho commented Dec 4, 2024