Skip to content

Fix forwarded proto handling for public URL detection (#36810)#36836

Merged
silverwind merged 4 commits intogo-gitea:release/v1.25from
GiteaBot:backport-36810-v1.25
Mar 6, 2026
Merged

Fix forwarded proto handling for public URL detection (#36810)#36836
silverwind merged 4 commits intogo-gitea:release/v1.25from
GiteaBot:backport-36810-v1.25

Conversation

@GiteaBot
Copy link
Copy Markdown
Collaborator

@GiteaBot GiteaBot commented Mar 5, 2026

Backport #36810 by @lunny

  • normalize X-Forwarded-Proto/related headers to accept only http/https
  • ignore malformed or injected scheme values to prevent spoofed canonical URLs
  • add tests covering malicious and multi-valued forwarded proto headers

Generated by a coding agent with Codex 5.2

@lunny @wxiaoguang @GiteaBot
Fix forwarded proto handling for public URL detection (go-gitea#36810)
38ccb55 
Normalize `X-Forwarded-Proto` related headers to accept only `http`/`https`

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot added the modifies/go Pull requests that update Go code label Mar 5, 2026
@GiteaBot GiteaBot requested a review from silverwind March 5, 2026 19:31
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 5, 2026
@GiteaBot GiteaBot requested a review from wxiaoguang March 5, 2026 19:31
@GiteaBot GiteaBot added this to the 1.25.5 milestone Mar 5, 2026
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 5, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 5, 2026
@silverwind silverwind enabled auto-merge (squash) March 6, 2026 15:26
@yardenshoham yardenshoham added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 6, 2026
@silverwind silverwind merged commit e2517e0 into go-gitea:release/v1.25 Mar 6, 2026
26 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@silverwind silverwind Awaiting requested review from silverwind

@wxiaoguang wxiaoguang Awaiting requested review from wxiaoguang

+1 more reviewer

@TheFox0x7 TheFox0x7 TheFox0x7 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lunny lunny

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code

Projects

None yet

Milestone

1.25.5

Development

Successfully merging this pull request may close these issues.

5 participants

@GiteaBot @lunny @TheFox0x7 @silverwind @yardenshoham