Issue #963 new

X-Forward-* headers can be a comma separated list

created an issue

I've found an issue with the way CherryPy handles the X-Forward- headers. A customer has two proxy servers in front of our CherryPy solution. Each proxy appends itself to the X-Forward- headers as described at This leads to bugs with HTTPRedirects and every other method that uses cherrypy.request.base or cherrypy.url(). cherrypy.request.base looks like ",".

This patch fixes the issue for me. Other places may have to be altered, too.

{{{ Index: cherrypy/lib/ =================================================================== --- cherrypy/lib/ (revision 17525) +++ cherrypy/lib/ (revision 17548) @@ -127,6 +127,9 @@

 if local:
     base = request.headers.get(local, base)
  • X-Forwarded-Host may be a comma-separated list


  • base = base.split(",", 1)[0].strip() if not base: port = cherrypy.request.local.port if port == 80: Index: cherrypy/ =================================================================== --- cherrypy/ (revision 17525) +++ cherrypy/ (revision 17548) @@ -498,6 +498,9 @@ domain = header('Host', '') if use_x_forwarded_host: domain = header("X-Forwarded-Host", domain)
  • X-Forwarded-Host may be a comma-separated list


  • domain = domain.split(",", 1)[0].strip()

     prefix = domains.get(domain, "")
     if prefix:


Comments (1)

  1. guest reporter

    Note that the hostnames seem to be appended to the right-hand side, so the patch may need to do base.split(...)[-1] instead of [0]. Otherwise, an external client could supply a bogus 'X-Forwarded-Host:' in their request, and the patch would then redirect to The rightmost host is presumably added by the real proxy and can therefore be trusted.

  2. Log in to comment