|Subject:||Bug in virtual_host method in some corner cases|
We have found in one of our deployments a corner case where 'virtual_host' method returns a list of hosts separated by commas. A sample of the return, which is not a real one: publicname.ahost.thedomain, notsopublicname.ahost.thedomain We have inspected code from CGI-3.49 to CGI-3.52, but we suspect the bug is present since the creation of 'virtual_host' method. We have tested with Perl 5.8.8 in Mac OS X 10.5 PPC and with Perl 5.12.2 in Gentoo Linux x86_64. 'virtual_host' method returns the information from X-Forwarded-Host header. In configurations where you have a public HTTP virtual host which is proxying HTTP servers behind a NAT, and one of those HTTP servers is also a virtual host, you can get from X-Forwarded-Host header a list of hostnames separated by commas. We think the scenario can be reproduced with a couple of Apache servers in different machines, both of them configured for virtual hosting, and one of them proxying the another one. The easy way to fix this corner case bug would be adding next line just after first assignment of '$vh' variable: $vh =~ s/^([^,]+),.*/$1/; which discards the additional hostnames (the first one should be the right one).