Index: openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl,v
diff -u -r1.118.2.23 -r1.118.2.24
--- openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	31 May 2016 11:19:20 -0000	1.118.2.23
+++ openacs-4/packages/acs-tcl/tcl/request-processor-procs.tcl	4 Jun 2016 11:10:47 -0000	1.118.2.24
@@ -583,7 +583,7 @@
     # 1. determine the root of the host and the requested URL
     if {[catch {set root [root_of_host [ad_host]]} errorMsg]} {
         # check if error message was returned already earlier
-        if {![ad_exception $::errorCode] eq "ad_script_abort"} {
+        if {[ad_exception $::errorCode] ne "ad_script_abort"} {
             ad_page_contract_handle_datasource_error "Host header is invalid"
         }
         return filter_return
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.78.2.13 -r1.78.2.14
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	30 May 2016 13:26:02 -0000	1.78.2.13
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	4 Jun 2016 11:10:47 -0000	1.78.2.14
@@ -1800,7 +1800,10 @@
     @return validated host header field or empty
     @author Gustaf Neumann
 
-    Protect against faked or invalid host header fields
+    Protect against faked or invalid host header fields. Host header
+    attacks can lead to web-cache poisoning and password reset attacks
+    (for more details, see e.g.
+     http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
 } {
     #
     # Check, if we have a host header field
@@ -1836,6 +1839,21 @@
     }
 
     #
+    # Check, if the provided host is the same in [ns_conn location]
+    # (will be used as default, but we do not want a warning in such
+    # cases).
+    #
+    if {[util::split_location [ns_conn location] proto locationHost locationPort]} {
+        if {$hostName eq $locationHost} {
+            #
+            # port is currently ignored
+            #
+            set $key 1
+            return $host            
+        }
+    }
+
+    #
     # Check, if the provided host is the same as in the configured
     # SystemURL.
     #