cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item14544 (31 Jan 2018, GeorgeClark)Edit Attach

Item14544: SCRIPTURL breaks when X-FORWARDED-HOST has multiple values.

pencil
Priority: Urgent
Current State: Closed
Released In: 2.1.5
Target Release: patch
Applies To: Engine
Component: ConfigureBootstrap, FoswikiEngine, FoswikiRequest
Branches: Item14380 Release02x01 master Item14288 Item14454 Item14537
Reported By: AdrianHolfter
Waiting For:
Last Change By: GeorgeClark
In a setup with e.g. multiple reverse proxies or load balancers, it can happen that the X-FORWARDED-HOST request header contains multiple values, separated by a comma and space. In this case, URLs generated with SCRIPTURL are broken.

This could be worked around by enabling {ForceDefaultUrlHost}, but this conflicts with our need to be able to reach the Foswiki on different domains.

-- AdrianHolfter - 27 Nov 2017

We have a setting - $Foswiki::cfg{PROXY}{UseForwardedForHeader}. We should probably add an equivalent $Foswiki::cfg{PROXY}{UseForwardedHostPortHeader}. And apply the first in list of both Hostname and Port when building the URL. (Oops... this is a planned enhancement for Foswiki 2.2, not in released code yet.)

The Bootstrap code does process FORWARDED-HOST but without splitting it.

The Foswiki 2.2 features are part of Item14380. It obviously needs some additional work. Looks like we need to properly handle X-Forwarded-Proto, X-Forwarded-Port, X-Forwarded-Host and X-Forwarded-For. Only Forwarded-Host and Forwarded-For seem to have any consistent use. I've found other packages, drupal, etc. with activity discussing these headers. We discussed this at today's Release meeting. We should centralize parsing of the X-Forwarded-* headers into a utility routine somewhere, so that Foswiki->getScriptUrl(), Foswiki::Request->url(), Foswiki::Configure::Bootstrap and the various Engines treat these headers consistently.

-- GeorgeClark - 27 Nov 2017

A partial fix for this will be in 2.1.5. - Bootstrap, and Foswiki::Request should now properly splilt the X-Forwarded-Host and will use the first entry.

The complete fix for Forwarders support will be in 2.2.

-- GeorgeClark - 08 Dec 2017
 
Topic revision: r12 - 31 Jan 2018, GeorgeClark - This page was cached on 14 Aug 2018 - 09:24.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy