| Summary: | Implement Forwarded header (RFC 7239) to mod_proxy_http | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Takashi Sato <takashi.asfbugzilla> |
| Component: | mod_proxy_http | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | enhancement | CC: | bz.apache.org |
| Priority: | P2 | Keywords: | PatchAvailable |
| Version: | 2.5-HEAD | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
| Attachments: | Add Forwarded header | ||
|
Description
Takashi Sato
2015-06-04 07:51:25 UTC
Created attachment 35207 [details]
Add Forwarded header
This patch adds the Forwarded header in the same manor as X-Forwarded-*.
I added a new configuration variable, ProxyAddForwardedHeader, in addition to ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in order to stay conservative, but I don't know what the general policy about such things is in this project.
Cool! This looks good. Except that the content of the "Host" header is not escaped, which could raise security threats if the request Host header contains chars like "; 3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL); AFAICT the Host header is already sanitized. All my attempts to inject invalid characters in this header result in a "400 Bad Request" response. However, I am new to Apache development, so I'd appreciate any guidance on how to deal with this issue, i.e. which validation functions to use etc. |