Issue #963 new

X-Forward-* headers can be a comma separated list

guest
created an issue

I've found an issue with the way CherryPy handles the X-Forward- headers. A customer has two proxy servers in front of our CherryPy solution. Each proxy appends itself to the X-Forward- headers as described at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers. This leads to bugs with HTTPRedirects and every other method that uses cherrypy.request.base or cherrypy.url(). cherrypy.request.base looks like "http://somehost.example.com, otherhost.example.org".

This patch fixes the issue for me. Other places may have to be altered, too.

{{{ Index: cherrypy/lib/cptools.py =================================================================== --- cherrypy/lib/cptools.py (revision 17525) +++ cherrypy/lib/cptools.py (revision 17548) @@ -127,6 +127,9 @@

 if local:
     base = request.headers.get(local, base)
  • X-Forwarded-Host may be a comma-separated list

  • http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

  • base = base.split(",", 1)[0].strip() if not base: port = cherrypy.request.local.port if port == 80: Index: cherrypy/_cpdispatch.py =================================================================== --- cherrypy/_cpdispatch.py (revision 17525) +++ cherrypy/_cpdispatch.py (revision 17548) @@ -498,6 +498,9 @@ domain = header('Host', '') if use_x_forwarded_host: domain = header("X-Forwarded-Host", domain)
  • X-Forwarded-Host may be a comma-separated list

  • http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

  • domain = domain.split(",", 1)[0].strip()

     prefix = domains.get(domain, "")
     if prefix:
    

    }}}

Comments (1)

  1. guest reporter

    Note that the hostnames seem to be appended to the right-hand side, so the patch may need to do base.split(...)[-1] instead of [0]. Otherwise, an external client could supply a bogus 'X-Forwarded-Host: www.evilsite.com' in their request, and the patch would then redirect to www.evilsite.com. The rightmost host is presumably added by the real proxy and can therefore be trusted.

  2. Log in to comment