Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authproxy.md: strip X-Remote-User #1103

Merged
merged 1 commit into from
Oct 26, 2017
Merged

authproxy.md: strip X-Remote-User #1103

merged 1 commit into from
Oct 26, 2017

Conversation

stapelberg
Copy link
Contributor

follow-up for #1100

@ericchiang
Copy link
Contributor

ericchiang commented Oct 26, 2017
edited

@stapelberg can you make a change to dex's code as well? I'd like for dex's server to remove any X-Remote-* header values sent to /callback and not /callback/{connector}

@stapelberg
Copy link
Contributor Author

Sure. Done.

ericchiang
ericchiang reviewed Oct 26, 2017
View reviewed changes
server/server.go Outdated
r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
// Strip the X-Remote-User header to prevent security issues on
// misconfigured authproxy connector setups.
r.Header.Del("X-Remote-User")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's future proof this against other headers:

for key := range r.Header {
    if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
        r.Header.Del(key)
    }
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

ericchiang
ericchiang approved these changes Oct 26, 2017
View reviewed changes
Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ericchiang ericchiang merged commit 3d65b77 into dexidp:master Oct 26, 2017
@stapelberg stapelberg deleted the authproxy branch October 27, 2017 07:08
mmrath pushed a commit to mmrath/dex that referenced this pull request Sep 2, 2019
@ericchiang
Merge pull request dexidp#1103 from stapelberg/authproxy
5823d77 
authproxy.md: strip X-Remote-User
@reggie-k reggie-k mentioned this pull request Jan 6, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericchiang ericchiang ericchiang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stapelberg @ericchiang