[Bug 58001] New: Implement Forwarded header (RFC 7239) to mod_proxy_http

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 58001] New: Implement Forwarded header (RFC 7239) to mod_proxy_http

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58001

            Bug ID: 58001
           Summary: Implement Forwarded header (RFC 7239) to
                    mod_proxy_http
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_proxy_http
          Assignee: [hidden email]
          Reporter: [hidden email]

According to the document, mod_proxy_http supports X-Forwarded-For,
X-Forwarded-Host and X-Forwarded-Server.
Last year RFC 7239 standardized a new Forwarded header.

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 58001] Implement Forwarded header (RFC 7239) to mod_proxy_http

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58001

Christian Schmidt <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 58001] Implement Forwarded header (RFC 7239) to mod_proxy_http

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58001

--- Comment #1 from Christian Schmidt <[hidden email]> ---
Created attachment 35207
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35207&action=edit
Add Forwarded header

This patch adds the Forwarded header in the same manor as X-Forwarded-*.

I added a new configuration variable, ProxyAddForwardedHeader, in addition to
ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in
order to stay conservative, but I don't know what the general policy about such
things is in this project.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 58001] Implement Forwarded header (RFC 7239) to mod_proxy_http

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58001

--- Comment #2 from [hidden email] ---
Cool! This looks good. Except that the content of the "Host" header is not
escaped, which could raise security threats if the request Host header contains
chars like ";

3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL);

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 58001] Implement Forwarded header (RFC 7239) to mod_proxy_http

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58001

--- Comment #3 from Christian Schmidt <[hidden email]> ---
AFAICT the Host header is already sanitized. All my attempts to inject invalid
characters in this header result in a "400 Bad Request" response.

However, I am new to Apache development, so I'd appreciate any guidance on how
to deal with this issue, i.e. which validation functions to use etc.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...