Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 79516
Status: resolved
Priority: 0/
Queue: CGI
People
Owner: Nobody in particular
Requestors: brettcsmith [...] brettcsmith.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sat Sep 08 09:35:03 2012 brettcsmith [...] brettcsmith.org - Ticket created
Subject: [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Date: Sat, 8 Sep 2012 09:33:45 -0400
To: bug-CGI.pm [...] rt.cpan.org
From: Brett Smith <brettcsmith [...] brettcsmith.org>
Hi, I recently discovered an issue with an application using CGI.pm behind a proxy. In some situations, it would create redirect URLs that started with "http://example.org, example.org/". Turns out that X-Forwarded-Host can include multiple comma-space-separated hosts. Apache's mod_proxy documentation describes this in more detail. As of this morning's git checkout, CGI.pm may use X-Forwarded-Host verbatim in the host portion of a redirect URL. Since I'm pretty sure a comma-space string will never work there, this patch has CGI.pm use the first host named in X-Forwarded-Host. Thanks, --- lib/CGI.pm | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/lib/CGI.pm b/lib/CGI.pm index f510680..080a4ec 100644 --- a/lib/CGI.pm +++ b/lib/CGI.pm @@ -2817,7 +2817,9 @@ sub url { my $protocol = $self->protocol(); $url = "$protocol://"; my $vh = http('x_forwarded_host') || http('host') || ''; - $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. + # If there's more than one forwarded host, use the first one. + $vh = (split(/, /, $vh))[0]; + $vh =~ s/\:\d+$//; # some clients add the port number (incorrectly). Get rid of it. $url .= $vh || server_name(); -- 1.7.2.5
  Tue Sep 11 17:20:26 2012 mark [...] summersault.com - Correspondence added
Subject: Re: [rt.cpan.org #79516] [PATCH] Use only the first X_FORWARDED_HOST for building URLs.
Date: Tue, 11 Sep 2012 17:19:57 -0400
To: bug-cgi.pm [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
I'm familiar with X-Forwarded-Host possibly having multiple domains in it and will take a look. Thanks for the feedback. Mark
  Tue Sep 11 17:20:32 2012 The RT System itself - Status changed from 'new' to 'open'
  Thu May 22 08:14:47 2014 LEEJO [...] cpan.org - Correspondence added
This issue has been copied to: https://github.com/leejo/CGI.pm/issues/102 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
  Fri May 23 14:28:11 2014 The RT System itself - Queue changed from CGI.pm to CGI
  Tue Jul 22 10:28:50 2014 LEEJO [...] cpan.org - Correspondence added
Well this is interesting, see #70 and 786165e1ed07e42b2590608ec117a0dcb366d39c. We are now taking the *last* IP in the list as this is the convention in other frameworks.
  Tue Jul 22 10:28:51 2014 LEEJO [...] cpan.org - Status changed from 'open' to 'resolved'