"enable host header validation" security feature for web interace can be bypassed by accessing via IP address instead of hostname

[catharsis71]

The "enable host header validation" option for the web interface is appreciated and useful however it appears it can be trivially bypassed.

If you access the web interface by IP address without using a hostname, it appears to defeat the validation and allow direct access.

For example, if "enable host header validation" is set to https://hostname1.example.com:65533/, then trying to access it via https://hostname2.example.com:65533/ will be blocked as expected, but if you use https://[IP_ADDRESS_HERE]:65533/ access will be allowed

I've only tested this with IPV6 so I'm not certain if it happens with IPV4 as well; I'm not able to test it via IPV4 at this time.