|Subject:||url() does not handle multi-valued X-Forwarded-Host|
The url() method in CGI.pm examines the X-Forwarded-Host header to determine the vhost name, but does not cater for this header containing a comma-separated list (which can happen if the request has passed through multiple reverse proxies). The apache documentation <> says: "Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers." The Catalyst code caters for this by taking the last value in the list. The attached patch makes CGI.pm follow the same behaviour.
diff -uNr CGI.pm-3.49.ORI/lib/CGI.pm CGI.pm-3.49/lib/CGI.pm --- CGI.pm-3.49.ORI/lib/CGI.pm 2010-01-29 14:41:54.000000000 +0000 +++ CGI.pm-3.49/lib/CGI.pm 2010-02-10 16:55:24.718751000 +0000 @@ -2856,6 +2856,8 @@ my $protocol = $self->protocol(); $url = "$protocol://"; my $vh = http('x_forwarded_host') || http('host') || ''; + $vh =~ s/^.*,\s*//; # x_forwarded_host may be a comma-separated list (e.g. when the request has + # passed through multiple reverse proxies. Take the last one. $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. $url .= $vh || server_name();