From 383cc02354c2a4235a98338005f8b47ffab4e53a Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 7 Jan 2026 14:50:33 -0600
Subject: [PATCH] Reject duplicate Host headers (for libsoup 2)

This is a simplified version of my patch for libsoup 3:

https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/491
---
 libsoup/soup-headers.c         |  3 +++
 libsoup/soup-message-headers.c |  3 +++
 tests/header-parsing.c         | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
index 8256de0d..0b08da94 100644
--- a/libsoup/soup-headers.c
+++ b/libsoup/soup-headers.c
@@ -138,6 +138,9 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
 		for (p = strchr (value, '\r'); p; p = strchr (p, '\r'))
 			*p = ' ';
 
+		if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (dest, "Host"))
+			goto done;
+
 		soup_message_headers_append (dest, name, value);
         }
 	success = TRUE;
diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 83bd89fb..583bd784 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -220,6 +220,9 @@ soup_message_headers_append (SoupMessageHeaders *hdrs,
 	}
 #endif
 
+	if (g_ascii_strcasecmp (name, "Host") == 0 && soup_message_headers_get_one (hdrs, "Host"))
+		return;
+
 	header.name = intern_header_name (name, &setter);
 	header.value = g_strdup (value);
 	g_array_append_val (hdrs->array, header);
diff --git a/tests/header-parsing.c b/tests/header-parsing.c
index 9888de41..aae2ac5b 100644
--- a/tests/header-parsing.c
+++ b/tests/header-parsing.c
@@ -444,6 +444,24 @@ static struct RequestTest {
 	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
 	  SOUP_STATUS_BAD_REQUEST,
            NULL, NULL, -1,
+	  { { NULL } },
+	},
+
+	{ "Duplicate Host headers",
+	  "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+	  "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
+	  -1,
+	  SOUP_STATUS_BAD_REQUEST,
+	  NULL, NULL, -1,
+	  { { NULL } }
+	},
+
+	{ "Duplicate Host headers (case insensitive)",
+	  "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
+	  "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
+	  -1,
+	  SOUP_STATUS_BAD_REQUEST,
+	  NULL, NULL, -1,
 	  { { NULL } }
 	}
 };
-- 
2.52.0