[CherryPy] #963: X-Forward-* headers can be a comma separated list
9 views
Skip to first unread message
CherryPy
Oct 13, 2009, 7:04:12 AM10/13/09
to cherrypy...@googlegroups.com
#963: X-Forward-* headers can be a comma separated list
---------------------------+------------------------------------------------
Reporter: guest | Owner: fumanchu
Type: defect | Status: new
Priority: normal | Milestone:
Component: CherryPy code | Keywords:
---------------------------+------------------------------------------------
I've found an issue with the way CherryPy handles the X-Forward-* headers.
A customer has two proxy servers in front of our CherryPy solution. Each
proxy appends itself to the X-Forward-* headers as described at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers. This leads
to bugs with HTTPRedirects and every other method that uses
cherrypy.request.base or cherrypy.url(). cherrypy.request.base looks like
"http://somehost.example.com, otherhost.example.org".
This patch fixes the issue for me. Other places may have to be altered,
too.
{{{
Index: cherrypy/lib/cptools.py
===================================================================
--- cherrypy/lib/cptools.py (revision 17525)
+++ cherrypy/lib/cptools.py (revision 17548)
@@ -127,6 +127,9 @@
if local:
base = request.headers.get(local, base)
+ # X-Forwarded-Host may be a comma-separated list
+ # http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
+ base = base.split(",", 1)[0].strip()
if not base:
port = cherrypy.request.local.port
if port == 80:
Index: cherrypy/_cpdispatch.py
===================================================================
--- cherrypy/_cpdispatch.py (revision 17525)
+++ cherrypy/_cpdispatch.py (revision 17548)
@@ -498,6 +498,9 @@
domain = header('Host', '')
if use_x_forwarded_host:
domain = header("X-Forwarded-Host", domain)
+ # X-Forwarded-Host may be a comma-separated list
+ #
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
+ domain = domain.split(",", 1)[0].strip()
prefix = domains.get(domain, "")
if prefix:
}}}
--
Ticket URL: <http://cherrypy.org/ticket/963>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
---------------------------+------------------------------------------------
Reporter: guest | Owner: fumanchu
Type: defect | Status: new
Priority: normal | Milestone:
Component: CherryPy code | Keywords:
---------------------------+------------------------------------------------
I've found an issue with the way CherryPy handles the X-Forward-* headers.
A customer has two proxy servers in front of our CherryPy solution. Each
proxy appends itself to the X-Forward-* headers as described at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers. This leads
to bugs with HTTPRedirects and every other method that uses
cherrypy.request.base or cherrypy.url(). cherrypy.request.base looks like
"http://somehost.example.com, otherhost.example.org".
This patch fixes the issue for me. Other places may have to be altered,
too.
{{{
Index: cherrypy/lib/cptools.py
===================================================================
--- cherrypy/lib/cptools.py (revision 17525)
+++ cherrypy/lib/cptools.py (revision 17548)
@@ -127,6 +127,9 @@
if local:
base = request.headers.get(local, base)
+ # X-Forwarded-Host may be a comma-separated list
+ # http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
+ base = base.split(",", 1)[0].strip()
if not base:
port = cherrypy.request.local.port
if port == 80:
Index: cherrypy/_cpdispatch.py
===================================================================
--- cherrypy/_cpdispatch.py (revision 17525)
+++ cherrypy/_cpdispatch.py (revision 17548)
@@ -498,6 +498,9 @@
domain = header('Host', '')
if use_x_forwarded_host:
domain = header("X-Forwarded-Host", domain)
+ # X-Forwarded-Host may be a comma-separated list
+ #
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
+ domain = domain.split(",", 1)[0].strip()
prefix = domains.get(domain, "")
if prefix:
}}}
--
Ticket URL: <http://cherrypy.org/ticket/963>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
CherryPy
May 19, 2010, 11:56:56 AM5/19/10
to cherrypy...@googlegroups.com
#963: X-Forward-* headers can be a comma separated list
---------------------------+------------------------------------------------
Reporter: guest | Owner: fumanchu
Type: defect | Status: new
Priority: normal | Milestone:
Component: CherryPy code | Resolution:
---------------------------+------------------------------------------------
Reporter: guest | Owner: fumanchu
Type: defect | Status: new
Priority: normal | Milestone:
Keywords: |
---------------------------+------------------------------------------------
Comment (by guest):
Note that the hostnames seem to be appended to the right-hand side, so the
patch may need to do base.split(...)[-1] instead of [0]. Otherwise, an
external client could supply a bogus 'X-Forwarded-Host: www.evilsite.com'
in their request, and the patch would then redirect to www.evilsite.com.
The rightmost host is presumably added by the real proxy and can therefore
be trusted.
--
Ticket URL: <http://www.cherrypy.org/ticket/963>
--
You received this message because you are subscribed to the Google Groups "cherrypy-tickets" group.
To post to this group, send email to cherrypy...@googlegroups.com.
To unsubscribe from this group, send email to cherrypy-ticke...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cherrypy-tickets?hl=en.
Reply all
Reply to author
Forward
0 new messages