Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 79516
Status: resolved
Priority: 0/
Queue: CGI

Owner: Nobody in particular
Requestors: brettcsmith [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Date: Sat, 8 Sep 2012 09:33:45 -0400
To: [...]
From: Brett Smith <brettcsmith [...]>
Download (untitled) / with headers
text/plain 1.2k
Hi, I recently discovered an issue with an application using behind a proxy. In some situations, it would create redirect URLs that started with ",". Turns out that X-Forwarded-Host can include multiple comma-space-separated hosts. Apache's mod_proxy documentation describes this in more detail. As of this morning's git checkout, may use X-Forwarded-Host verbatim in the host portion of a redirect URL. Since I'm pretty sure a comma-space string will never work there, this patch has use the first host named in X-Forwarded-Host. Thanks, --- lib/ | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/lib/ b/lib/ index f510680..080a4ec 100644 --- a/lib/ +++ b/lib/ @@ -2817,7 +2817,9 @@ sub url { my $protocol = $self->protocol(); $url = "$protocol://"; my $vh = http('x_forwarded_host') || http('host') || ''; - $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. + # If there's more than one forwarded host, use the first one. + $vh = (split(/, /, $vh))[0]; + $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. $url .= $vh || server_name(); --
Subject: Re: [ #79516] [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Date: Tue, 11 Sep 2012 17:19:57 -0400
To: [...]
From: Mark Stosberg <mark [...]>
Download (untitled) / with headers
text/plain 133b
I'm familiar with X-Forwarded-Host possibly having multiple domains in it and will take a look. Thanks for the feedback. Mark
Download (untitled) / with headers
text/plain 241b
This issue has been copied to: please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
Download (untitled) / with headers
text/plain 170b
Well this is interesting, see #70 and 786165e1ed07e42b2590608ec117a0dcb366d39c. We are now taking the *last* IP in the list as this is the convention in other frameworks.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to