X-Forwarded-Host may contain commas

[insom]

Hi,

At work, we recently switched to a set up with an Apache mod_proxy at the edge of our network and then another mod_proxy local to the machine one of our applications is hosted on. This lead to us getting this header back from a Flask app:

Location: http://vooadmin.temp.iweb.co.uk, vooadmin.temp.iweb.co.uk/users/login

And we traced this back to the X-Forwarded-Host header which, when using two Apache mod_proxy instances, can be comma separated. The Django guys had this 5 years ago: https://code.djangoproject.com/ticket/9064 but their solution was to remove support for trusting this header.

In our app we just used RequestHeader unset X-Forwarded-Host in Apache as a work around, but the default behaviour in Werkzeug could probably be improved to just use the first entry if it's comma separated.

Aaron

[DazWorrall]

Should this be the job of werkzeug.contrib.fixers.ProxyFix? [edit] It does appear to already process this header.

[untitaker]

I don't think the provided builtin fixers should sacrifice overall performance to cover all edge cases. Writing own fixers to cover the own cases is usually easy enough and makes for better performance too.

[mitsuhiko]

I think this makes sense to fix :)