Bug 58001

Summary: Implement Forwarded header (RFC 7239) to mod_proxy_http
Product: Apache httpd-2 Reporter: Takashi Sato <takashi.asfbugzilla>
Component: mod_proxy_httpAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: bz.apache.org
Priority: P2 Keywords: PatchAvailable
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: Add Forwarded header

Description Takashi Sato 2015-06-04 07:51:25 UTC
According to the document, mod_proxy_http supports X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server.
Last year RFC 7239 standardized a new Forwarded header.
Comment 1 Christian Schmidt 2017-08-08 20:48:29 UTC
Created attachment 35207 [details]
Add Forwarded header

This patch adds the Forwarded header in the same manor as X-Forwarded-*.

I added a new configuration variable, ProxyAddForwardedHeader, in addition to ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in order to stay conservative, but I don't know what the general policy about such things is in this project.
Comment 2 best 2017-08-09 10:05:32 UTC
Cool! This looks good. Except that the content of the "Host" header is not escaped, which could raise security threats if the request Host header contains chars like ";

3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL);
Comment 3 Christian Schmidt 2017-08-09 18:46:22 UTC
AFAICT the Host header is already sanitized. All my attempts to inject invalid characters in this header result in a "400 Bad Request" response.

However, I am new to Apache development, so I'd appreciate any guidance on how to deal with this issue, i.e. which validation functions to use etc.