Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [Bug]: X-Forwarded-Host, X-Forwarded-Proto, X-Forwarded-Protocol can have a comma-separated list #2151

Closed
3 tasks done
supakornbabe opened this issue Oct 12, 2022 · 1 comment · Fixed by #2154
Closed
3 tasks done

🐛 [Bug]: X-Forwarded-Host, X-Forwarded-Proto, X-Forwarded-Protocol can have a comma-separated list #2151

supakornbabe opened this issue Oct 12, 2022 · 1 comment · Fixed by #2154
Labels
☢️ Bug

Comments

@supakornbabe
Copy link
Contributor

supakornbabe commented Oct 12, 2022
edited
Loading

Bug Description

The implement of c.Protocol() and c.Hostname() is wrong and the problem is happen when request is go through more than 1 proxies.

Reference: https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#page-header

Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies.

xp-framework/xp-framework#162

How to Reproduce

Steps to reproduce the behavior:

  1. Set up go fiber behind 2 proxies
  2. Use c.BaseURL(), c.Protocol(), c.Hostname() then these return comma separated list
BaseURL: https, https://hello.world.com, hello.world.com
Protocol: https, https
Hostname: hello.world.com, hello.world.com

Expected Behavior

c.BaseURL(), c.Protocol(), c.Hostname() return only first item in list

Reference: xp-framework/xp-framework#162

Fiber Version

v2.38.1

Code Snippet (optional)

package main

import "github.com/gofiber/fiber/v2"
import "log"

func main() {
  app := fiber.New()

  // Steps to reproduce

  log.Fatal(app.Listen(":3000"))
}

func LoginHandler(c *fiber.Ctx) error {
	fmt.Println("BaseURL: "+c.BaseURL())
	fmt.Println("Protocol: "+c.Protocol())
        fmt.Println("Hostname: "+c.Hostname())
}
Result
BaseURL: https, https://hello.world.com, hello.world.com
Protocol: https, https
Hostname: hello.world.com, hello.world.com

Checklist:

  • I agree to follow Fiber's Code of Conduct.
  • I have checked for existing issues that describe my problem prior to opening this one.
  • I understand that improperly formatted bug reports may be closed without explanation.
@welcome
Copy link

welcome bot commented Oct 12, 2022

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

@supakornbabe supakornbabe mentioned this issue Oct 14, 2022
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
☢️ Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🩹 Fix: handle multiple X-Forwarded header supakornbabe/fiber
1 participant
@supakornbabe