Skip to content

Fix forwarded proto handling for public URL detection#36810

Merged
wxiaoguang merged 4 commits intogo-gitea:mainfrom
lunny:lunny/fix_reverseproxy_proto
Mar 5, 2026
Merged

Fix forwarded proto handling for public URL detection#36810
wxiaoguang merged 4 commits intogo-gitea:mainfrom
lunny:lunny/fix_reverseproxy_proto

Conversation

@lunny
Copy link
Copy Markdown
Member

@lunny lunny commented Mar 3, 2026

  • normalize X-Forwarded-Proto/related headers to accept only http/https
  • ignore malformed or injected scheme values to prevent spoofed canonical URLs
  • add tests covering malicious and multi-valued forwarded proto headers

Generated by a coding agent with Codex 5.2

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 3, 2026
@github-actions github-actions bot added the modifies/go Pull requests that update Go code label Mar 3, 2026
@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Mar 3, 2026
edited
Loading

  • multi-valued forwarded proto headers

Why it should happen?

image

wxiaoguang
wxiaoguang reviewed Mar 3, 2026
View reviewed changes
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 3, 2026
@wxiaoguang wxiaoguang added the backport/v1.25 This PR should be backported to Gitea 1.25 label Mar 3, 2026
@wxiaoguang wxiaoguang force-pushed the lunny/fix_reverseproxy_proto branch from f24a736 to 7f765bc Compare March 3, 2026 09:28
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 5, 2026
@wxiaoguang wxiaoguang enabled auto-merge (squash) March 5, 2026 15:54
@wxiaoguang wxiaoguang disabled auto-merge March 5, 2026 15:55
@wxiaoguang wxiaoguang merged commit 723ce35 into go-gitea:main Mar 5, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Mar 5, 2026
@wxiaoguang wxiaoguang deleted the lunny/fix_reverseproxy_proto branch March 5, 2026 16:31
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Mar 5, 2026
@lunny @wxiaoguang @GiteaBot
Fix forwarded proto handling for public URL detection (go-gitea#36810)
38ccb55 
Normalize `X-Forwarded-Proto` related headers to accept only `http`/`https`

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot mentioned this pull request Mar 5, 2026
Merged
@GiteaBot GiteaBot added the backport/done All backports for this PR have been created label Mar 5, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 6, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
9ad2bd8 
* giteaofficial/main:
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 6, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into fixmerge
f626aa0 
* origin/main: (27 commits)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
  [skip ci] Updated translations via Crowdin
  fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions (go-gitea#36818)
  Fix CRAN package version validation to allow more than 4 version components (go-gitea#36813)
  Fix API not persisting pull request unit config when has_pull_requests is not set (go-gitea#36718)
  feat: Add Actions API rerun endpoints for runs and jobs (go-gitea#36768)
  Fix bug when pushing mirror with wiki (go-gitea#36795)
  Pull Request Pusher should be the author of the merge (go-gitea#36581)
  Delete non-exist branch should return 404 (go-gitea#36694)
  ...

# Conflicts:
#	routers/web/repo/issue_view.go
silverwind added a commit that referenced this pull request Mar 6, 2026
@GiteaBot @lunny
@wxiaoguang @silverwind
Fix forwarded proto handling for public URL detection (#36810) (#36836)
e2517e0 
Backport #36810 by @lunny

- normalize `X-Forwarded-Proto`/related headers to accept only
`http`/`https`
- ignore malformed or injected scheme values to prevent spoofed
canonical URLs
- add tests covering malicious and multi-valued forwarded proto headers

---
Generated by a coding agent with Codex 5.2

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 8, 2026
@silverwind
Merge branch 'main' into cm
8df7e3f 
* main: (26 commits)
  Clean up `refreshViewedFilesSummary` (go-gitea#36868)
  Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867)
  Optimize Docker build with dependency layer caching (go-gitea#36864)
  Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861)
  Fix CodeQL code scanning alerts (go-gitea#36858)
  Refactor auth middleware (go-gitea#36848)
  Update Nix flake (go-gitea#36857)
  Update JS deps (go-gitea#36850)
  Load `mentionValues` asynchronously (go-gitea#36739)
  [skip ci] Updated translations via Crowdin
  Fix dbfs error handling (go-gitea#36844)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  ...

# Conflicts:
#	pnpm-lock.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created backport/v1.25 This PR should be backported to Gitea 1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lunny @wxiaoguang @silverwind @GiteaBot