aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2024-09-20 22:57:55 +0800
committerGitHub <noreply@github.com>2024-09-20 14:57:55 +0000
commit3b10fd9b3452d548ef116b27161b17f57a8e180c (patch)
tree587ac670a6aa4096dfd4bcd75362b79966abf1cc
parent55d5a74bb3a992dd56152e2f5266c7fd883c1948 (diff)
downloadgitea-3b10fd9b3452d548ef116b27161b17f57a8e180c.tar.gz
gitea-3b10fd9b3452d548ef116b27161b17f57a8e180c.zip
Only use Host header from reverse proxy (#32060)
X-Forwarded-Host has many problems: non-standard, not well-defined (X-Forwarded-Port or not), conflicts with Host header, it already caused problems like #31907. So do not use X-Forwarded-Host, just use Host header directly. Official document also only uses `Host` header and never mentioned others.
-rw-r--r--.github/workflows/pull-db-tests.yml3
-rw-r--r--modules/httplib/url.go13
-rw-r--r--modules/httplib/url_test.go5
3 files changed, 8 insertions, 13 deletions
diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
index 246884f24b..90804c0f0a 100644
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -201,7 +201,8 @@ jobs:
runs-on: ubuntu-latest
services:
mssql:
- image: mcr.microsoft.com/mssql/server:2017-latest
+ # some images before 2024-04 can't run on new kernels
+ image: mcr.microsoft.com/mssql/server:2019-latest
env:
ACCEPT_EULA: Y
MSSQL_PID: Standard
diff --git a/modules/httplib/url.go b/modules/httplib/url.go
index 219dfe695c..e3bad1e5fb 100644
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@@ -52,11 +52,6 @@ func getRequestScheme(req *http.Request) string {
return ""
}
-func getForwardedHost(req *http.Request) string {
- // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
- return req.Header.Get("X-Forwarded-Host")
-}
-
// GuessCurrentAppURL tries to guess the current full app URL (with sub-path) by http headers. It always has a '/' suffix, exactly the same as setting.AppURL
func GuessCurrentAppURL(ctx context.Context) string {
return GuessCurrentHostURL(ctx) + setting.AppSubURL + "/"
@@ -81,11 +76,9 @@ func GuessCurrentHostURL(ctx context.Context) string {
if reqScheme == "" {
return strings.TrimSuffix(setting.AppURL, setting.AppSubURL+"/")
}
- reqHost := getForwardedHost(req)
- if reqHost == "" {
- reqHost = req.Host
- }
- return reqScheme + "://" + reqHost
+ // X-Forwarded-Host has many problems: non-standard, not well-defined (X-Forwarded-Port or not), conflicts with Host header.
+ // So do not use X-Forwarded-Host, just use Host header directly.
+ return reqScheme + "://" + req.Host
}
// MakeAbsoluteURL tries to make a link to an absolute URL:
diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go
index 28aaee6e12..fc6c91cd3a 100644
--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@@ -70,7 +70,7 @@ func TestMakeAbsoluteURL(t *testing.T) {
"X-Forwarded-Proto": {"https"},
},
})
- assert.Equal(t, "https://forwarded-host/foo", MakeAbsoluteURL(ctx, "/foo"))
+ assert.Equal(t, "https://user-host/foo", MakeAbsoluteURL(ctx, "/foo"))
}
func TestIsCurrentGiteaSiteURL(t *testing.T) {
@@ -119,5 +119,6 @@ func TestIsCurrentGiteaSiteURL(t *testing.T) {
},
})
assert.True(t, IsCurrentGiteaSiteURL(ctx, "http://localhost:3000"))
- assert.True(t, IsCurrentGiteaSiteURL(ctx, "https://forwarded-host"))
+ assert.True(t, IsCurrentGiteaSiteURL(ctx, "https://user-host"))
+ assert.False(t, IsCurrentGiteaSiteURL(ctx, "https://forwarded-host"))
}