opensource/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-11-04 01:19:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

reverseproxy: Sanitize scheme and host on incoming requests (#4237)

Browse Source 
* caddyhttp: Sanitize scheme and host on incoming requests

* reverseproxy: Sanitize the URL scheme and host before proxying

* Apply suggestions from code review

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
Francis Lavoie
2021-10-26 16:41:28 -04:00
committed by GitHub
parent 012d235314
commit f73f55dba7
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
modules/caddyhttp/reverseproxy/reverseproxy.go
View File

@ -395,9 +395,23 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
// should not permanently change r.Host; issue #3509) // should not permanently change r.Host; issue #3509)
reqHost := r.Host reqHost := r.Host
reqHeader := r.Header reqHeader := r.Header
// sanitize the request URL; we expect it to not contain the scheme and host
// since those should be determined by r.TLS and r.Host respectively, but
// some clients may include it in the request-line, which is technically
// valid in HTTP, but breaks reverseproxy behaviour, overriding how the
// dialer will behave. See #4237 for context.
origURLScheme := r.URL.Scheme
origURLHost := r.URL.Host
r.URL.Scheme = ""
r.URL.Host = ""
// restore modifications to the request after we're done proxying
defer func() { defer func() {
r.Host = reqHost // TODO: data race, see #4038 r.Host = reqHost // TODO: data race, see #4038
r.Header = reqHeader // TODO: data race, see #4038 r.Header = reqHeader // TODO: data race, see #4038
r.URL.Scheme = origURLScheme
r.URL.Host = origURLHost
}() }()
start := time.Now() start := time.Now()