Issue #4504 Forwarded Host and Server (#4511)

X-Forwarded-Host has precedence of X-Forwarded-Server and outcome is not order dependent.

Signed-off-by: Greg Wilkins <gregw@webtide.com>
This commit is contained in:
Greg Wilkins 2020-01-24 11:20:52 +01:00 committed by GitHub
parent ff19bef4dc
commit 56754f4a29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 2 deletions

View File

@ -397,11 +397,21 @@ public class ForwardedRequestCustomizer implements Customizer
request.setSecure(true);
}
if (forwarded._host != null)
if (forwarded._server != null && forwarded._host instanceof PortSetHostPort)
{
httpFields.put(new HostPortHttpField(forwarded._server, forwarded._host.getPort()));
request.setAuthority(forwarded._server, forwarded._host.getPort());
}
else if (forwarded._host != null)
{
httpFields.put(new HostPortHttpField(forwarded._host));
request.setAuthority(forwarded._host.getHost(), forwarded._host.getPort());
}
else if (forwarded._server != null)
{
httpFields.put(new HostPortHttpField(forwarded._server));
request.setAuthority(forwarded._server, 0);
}
if (forwarded._for != null)
{
@ -546,6 +556,7 @@ public class ForwardedRequestCustomizer implements Customizer
String _proto;
HostPort _for;
HostPort _host;
String _server;
public Forwarded(Request request, HttpConfiguration config)
{
@ -598,7 +609,7 @@ public class ForwardedRequestCustomizer implements Customizer
{
if (getProxyAsAuthority())
return;
handleHost(field);
_server = getLeftMost(field.getValue());
}
@SuppressWarnings("unused")

View File

@ -412,6 +412,34 @@ public class ForwardedRequestCustomizerTest
.requestURL("https://www.example.com:4333/")
.remoteAddr("8.5.4.3").remotePort(2222)
),
Arguments.of(new Request("X-Forwarded-* (Server before Host)")
.headers(
"GET / HTTP/1.1",
"Host: myhost",
"X-Forwarded-Proto: https",
"X-Forwarded-Server: fw.example.com",
"X-Forwarded-Host: www.example.com",
"X-Forwarded-Port: 4333",
"X-Forwarded-For: 8.5.4.3:2222"
),
new Expectations()
.scheme("https").serverName("www.example.com").serverPort(4333)
.requestURL("https://www.example.com:4333/")
.remoteAddr("8.5.4.3").remotePort(2222)
),
Arguments.of(new Request("X-Forwarded-* (Server and Port)")
.headers(
"GET / HTTP/1.1",
"Host: myhost",
"X-Forwarded-Server: fw.example.com",
"X-Forwarded-Port: 4333",
"X-Forwarded-For: 8.5.4.3:2222"
),
new Expectations()
.scheme("http").serverName("fw.example.com").serverPort(4333)
.requestURL("http://fw.example.com:4333/")
.remoteAddr("8.5.4.3").remotePort(2222)
),
// =================================================================
// Mixed Behavior