Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverse proxy handling does not handle X-Forwarded-Host with comma separated values #2370

Closed
urhot opened this issue Aug 23, 2019 · 0 comments

Comments

@urhot
Copy link

commented Aug 23, 2019

This is a follow-up to issue #2366, where X-Forwarded-Host was fixed to read a string instead of array when running on Owin.

After some further real-life testing, it turns out that while the value is only a single string, it may actually contain a comma separated list of values.

There's no clear specification of this, since the header is non-standard, but in practice some proxies will pass multiple hosts separated by comma. For example:

X-Forwarded-Host: example.com, example.com

The logic for handling this header should probably be:

  • If multiple headers exists in same request, pick the first one
  • If that header contains comma separated values, pick the first value

An example of apache generating a comma separated header, when the proxy is behind another proxy:

Test requests:

% curl --silent -H "X-Forwarded-Host: example.com" "http://localhost/SwaggerTest1/swagger/v1/swagger.json" | grep "host"

  "host": "example.com",
% curl --silent -H "X-Forwarded-Host: example.com, example.com" "http://localhost/SwaggerTest1/swagger/v1/swagger.json"

[UriFormatException]: Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Uri..ctor(String uriString)
   at NSwag.AspNet.Owin.HttpRequestExtension.GetServerUrl(IOwinRequest request)

@RicoSuter RicoSuter closed this in 8d3b67d Aug 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.