Bug 63799 - X-Forwarded-Host is a concatenated list instead of containing one host
Summary: X-Forwarded-Host is a concatenated list instead of containing one host
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.4.41
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-02 16:32 UTC by sielaq
Modified: 2019-10-02 16:32 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sielaq 2019-10-02 16:32:59 UTC 
Hi,

Apache httpd version 2.4.41

I found a strange behavior
when Apache is behind another proxy that has set X-Forwarded-Host already.
and the request goes through proxypass

X-Forwarded-Host got Host appended 
instead of keeping original if exists
https://github.com/apache/httpd/blob/trunk/modules/proxy/proxy_util.c#L3839

Looks like someone has mix X-Forwarded-For (a list) with X-Forwarded-Host (only one Host)

Way to reproduce :

```
FROM httpd:latest

RUN echo "\
LoadModule proxy_module modules/mod_proxy.so \n\
LoadModule proxy_http_module modules/mod_proxy_http.so \n\
<VirtualHost *> \n\
  ProxyRequests Off \n\
  ProxyPreserveHost Off \n\
  ProxyPass /bar http://foo.intranet/bar \n\
</VirtualHost>" >> conf/httpd.conf
```

docker  build . --tag foo
docker run -ti -p 3080:80 foo
curl -v -H 'X-Forwarded-Host: foo.bar' localhost:3080/bar


The header that foo.intranet gonna get will be:

`X-Forwarded-Host: foo.bar, localhost`


The proper behavior should be keep original (or replace if specified),
but do not concatenate - header do not match RFC then.

best regards
Wojciech