pengjunjie/server
1
0
Fork 1
mirror of https://github.com/ONLYOFFICE/server.git synced 2026-04-07 14:04:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bug] Fix handling of comma-separated values in X-Forwarded-Host header

Browse Source
This commit is contained in:
Sergey Konovalov
2025-07-17 17:24:16 +03:00
parent 9d406d2b59
commit 3c9415d359
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Common/sources/utils.js
View File

@ -795,8 +795,22 @@ function containsAllAsciiNP(str) {
return /^[\040-\176]*$/.test(str);//non-printing characters
}
exports.containsAllAsciiNP = containsAllAsciiNP;
/**
* Get domain from headers
* @param {string} hostHeader - Host header
* @param {string} forwardedHostHeader - X-Forwarded-Host header (may contain comma-separated values)
* @returns {string}
*/
function getDomain(hostHeader, forwardedHostHeader) {
return forwardedHostHeader || hostHeader || 'localhost';
if (forwardedHostHeader) {
// Handle comma-separated values, take first value(original host per RFC 7239)
return forwardedHostHeader.split(',')[0].trim();
}
if (hostHeader) {
// Header should contain one value(RFC 7230), apply same logic for protection against malformed requests
return hostHeader.split(',')[0].trim();
}
return 'localhost';
};
function getBaseUrl(protocol, hostHeader, forwardedProtoHeader, forwardedHostHeader, forwardedPrefixHeader) {
var url = '';