From a49f055561325dc8541de169eb5bcf049260747d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20W=C3=A4rmedal?=
 <bjornwarmedal@users.noreply.github.com>
Date: Sat, 10 May 2025 04:00:20 +0200
Subject: [PATCH 1/3] build(deps): update url requirement from 2.1 to 2.5.4
 (#3527)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Björn Wärmedal <bjorn.warmedal@lumera.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
---
 actix-web/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actix-web/Cargo.toml b/actix-web/Cargo.toml
index afa4eadbc..f64196c77 100644
--- a/actix-web/Cargo.toml
+++ b/actix-web/Cargo.toml
@@ -166,7 +166,7 @@ smallvec = "1.6.1"
 tracing = "0.1.30"
 socket2 = "0.5"
 time = { version = "0.3", default-features = false, features = ["formatting"] }
-url = "2.1"
+url = "2.5.4"
 
 [dev-dependencies]
 actix-files = "0.6"

From 079400a72b79d918491aef783db41a6230fbcfce Mon Sep 17 00:00:00 2001
From: Rob Ede <robjtede@icloud.com>
Date: Sat, 10 May 2025 03:21:54 +0100
Subject: [PATCH 2/3] build: add clippy-msrv recipe

---
 justfile | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/justfile b/justfile
index a9df2d633..065640827 100644
--- a/justfile
+++ b/justfile
@@ -41,17 +41,18 @@ check-min:
 check-default:
     cargo hack --workspace check
 
-# Run Clippy over workspace.
+# Check workspace.
 check: && clippy
+    fd --hidden --type=file --extension=md --extension=yml --exec-batch npx -y prettier --check
 
 # Run Clippy over workspace.
 clippy:
     cargo {{ toolchain }} clippy --workspace --all-targets {{ all_crate_features }}
 
-# Test workspace using MSRV.
-test-msrv:
+# Run Clippy over workspace using MSRV.
+clippy-msrv:
     @just toolchain={{ msrv_rustup }} downgrade-for-msrv
-    @just toolchain={{ msrv_rustup }} test
+    @just toolchain={{ msrv_rustup }} clippy
 
 # Test workspace code.
 test:
@@ -60,6 +61,11 @@ test:
     cargo {{ toolchain }} nextest run --no-tests=warn -p=actix-router --no-default-features
     cargo {{ toolchain }} nextest run --no-tests=warn --workspace --exclude=actix-web-codegen --exclude=actix-multipart-derive {{ all_crate_features }} --filter-expr="not test(test_reading_deflate_encoding_large_random_rustls)"
 
+# Test workspace using MSRV.
+test-msrv:
+    @just toolchain={{ msrv_rustup }} downgrade-for-msrv
+    @just toolchain={{ msrv_rustup }} test
+
 # Test workspace docs.
 test-docs: && doc
     cargo {{ toolchain }} test --doc --workspace {{ all_crate_features }} --no-fail-fast -- --nocapture

From 3147aaccc73e7611a88a2e18dbfbaadb27b96983 Mon Sep 17 00:00:00 2001
From: Joel Wurtz <joel.wurtz@gmail.com>
Date: Sat, 10 May 2025 04:42:00 +0200
Subject: [PATCH 3/3] feat: do not use host header on http2 for guard (#3525)

* feat(guard): do not use host header on http2 for guard

* docs: update changelog

---------

Co-authored-by: Rob Ede <robjtede@icloud.com>
---
 actix-web/CHANGES.md        |  1 +
 actix-web/src/guard/host.rs | 35 ++++++++++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/actix-web/CHANGES.md b/actix-web/CHANGES.md
index ff3f999ac..bc34fcd77 100644
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@@ -6,6 +6,7 @@
 - Improve handling of non-UTF-8 header values in `Logger` middleware.
 - Add `HttpServer::shutdown_signal()` method.
 - Mark `HttpServer` as `#[must_use]`.
+- Ignore `Host` header in `Host` guard when connection protocol is HTTP/2.
 - Re-export `mime` dependency.
 - Update `brotli` dependency to `8`.
 
diff --git a/actix-web/src/guard/host.rs b/actix-web/src/guard/host.rs
index a971a3e30..835662346 100644
--- a/actix-web/src/guard/host.rs
+++ b/actix-web/src/guard/host.rs
@@ -1,4 +1,4 @@
-use actix_http::{header, uri::Uri, RequestHead};
+use actix_http::{header, uri::Uri, RequestHead, Version};
 
 use super::{Guard, GuardContext};
 
@@ -66,6 +66,7 @@ fn get_host_uri(req: &RequestHead) -> Option<Uri> {
     req.headers
         .get(header::HOST)
         .and_then(|host_value| host_value.to_str().ok())
+        .filter(|_| req.version < Version::HTTP_2)
         .or_else(|| req.uri.host())
         .and_then(|host| host.parse().ok())
 }
@@ -123,6 +124,38 @@ mod tests {
     use super::*;
     use crate::test::TestRequest;
 
+    #[test]
+    fn host_not_from_header_if_http2() {
+        let req = TestRequest::default()
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let req = TestRequest::default()
+            .version(actix_http::Version::HTTP_2)
+            .uri("www.rust-lang.org")
+            .insert_header((
+                header::HOST,
+                header::HeaderValue::from_static("www.example.com"),
+            ))
+            .to_srv_request();
+
+        let host = Host("www.example.com");
+        assert!(!host.check(&req.guard_ctx()));
+
+        let host = Host("www.rust-lang.org");
+        assert!(host.check(&req.guard_ctx()));
+    }
+
     #[test]
     fn host_from_header() {
         let req = TestRequest::default()