|Summary:||Implement Forwarded header (RFC 7239) to mod_proxy_http|
|Product:||Apache httpd-2||Reporter:||Takashi Sato <takashi.asfbugzilla>|
|Component:||mod_proxy_http||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||Add Forwarded header|
Description Takashi Sato 2015-06-04 07:51:25 UTC
According to the document, mod_proxy_http supports X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server. Last year RFC 7239 standardized a new Forwarded header.
Comment 1 Christian Schmidt 2017-08-08 20:48:29 UTC
Created attachment 35207 [details] Add Forwarded header This patch adds the Forwarded header in the same manor as X-Forwarded-*. I added a new configuration variable, ProxyAddForwardedHeader, in addition to ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in order to stay conservative, but I don't know what the general policy about such things is in this project.
Comment 2 best 2017-08-09 10:05:32 UTC
Cool! This looks good. Except that the content of the "Host" header is not escaped, which could raise security threats if the request Host header contains chars like "; 3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL);
Comment 3 Christian Schmidt 2017-08-09 18:46:22 UTC
AFAICT the Host header is already sanitized. All my attempts to inject invalid characters in this header result in a "400 Bad Request" response. However, I am new to Apache development, so I'd appreciate any guidance on how to deal with this issue, i.e. which validation functions to use etc.