mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-06 22:40:31 -05:00
reverseproxy: Sanitize scheme and host on incoming requests (#4237)
* caddyhttp: Sanitize scheme and host on incoming requests * reverseproxy: Sanitize the URL scheme and host before proxying * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
parent
012d235314
commit
f73f55dba7
1 changed files with 14 additions and 0 deletions
|
@ -395,9 +395,23 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
|
||||||
// should not permanently change r.Host; issue #3509)
|
// should not permanently change r.Host; issue #3509)
|
||||||
reqHost := r.Host
|
reqHost := r.Host
|
||||||
reqHeader := r.Header
|
reqHeader := r.Header
|
||||||
|
|
||||||
|
// sanitize the request URL; we expect it to not contain the scheme and host
|
||||||
|
// since those should be determined by r.TLS and r.Host respectively, but
|
||||||
|
// some clients may include it in the request-line, which is technically
|
||||||
|
// valid in HTTP, but breaks reverseproxy behaviour, overriding how the
|
||||||
|
// dialer will behave. See #4237 for context.
|
||||||
|
origURLScheme := r.URL.Scheme
|
||||||
|
origURLHost := r.URL.Host
|
||||||
|
r.URL.Scheme = ""
|
||||||
|
r.URL.Host = ""
|
||||||
|
|
||||||
|
// restore modifications to the request after we're done proxying
|
||||||
defer func() {
|
defer func() {
|
||||||
r.Host = reqHost // TODO: data race, see #4038
|
r.Host = reqHost // TODO: data race, see #4038
|
||||||
r.Header = reqHeader // TODO: data race, see #4038
|
r.Header = reqHeader // TODO: data race, see #4038
|
||||||
|
r.URL.Scheme = origURLScheme
|
||||||
|
r.URL.Host = origURLHost
|
||||||
}()
|
}()
|
||||||
|
|
||||||
start := time.Now()
|
start := time.Now()
|
||||||
|
|
Loading…
Reference in a new issue