From 3c9415d35921a173b227126091c2537db10d0ad2 Mon Sep 17 00:00:00 2001
From: Sergey Konovalov <Sergey.Konovalov@onlyoffice.com>
Date: Thu, 17 Jul 2025 17:24:16 +0300
Subject: [PATCH] [bug] Fix handling of comma-separated values in
 X-Forwarded-Host header

---
 Common/sources/utils.js | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/Common/sources/utils.js b/Common/sources/utils.js
index 36191440..1d1dfc67 100644
--- a/Common/sources/utils.js
+++ b/Common/sources/utils.js
@@ -795,8 +795,22 @@ function containsAllAsciiNP(str) {
   return /^[\040-\176]*$/.test(str);//non-printing characters
 }
 exports.containsAllAsciiNP = containsAllAsciiNP;
+/**
+ * Get domain from headers
+ * @param {string} hostHeader - Host header
+ * @param {string} forwardedHostHeader - X-Forwarded-Host header (may contain comma-separated values)
+ * @returns {string}
+ */
 function getDomain(hostHeader, forwardedHostHeader) {
-  return forwardedHostHeader || hostHeader || 'localhost';
+  if (forwardedHostHeader) {
+    // Handle comma-separated values, take first value(original host per RFC 7239)
+    return forwardedHostHeader.split(',')[0].trim();
+  }
+  if (hostHeader) {
+    // Header should contain one value(RFC 7230), apply same logic for protection against malformed requests
+    return hostHeader.split(',')[0].trim();
+  }
+  return 'localhost';
 };
 function getBaseUrl(protocol, hostHeader, forwardedProtoHeader, forwardedHostHeader, forwardedPrefixHeader) {
   var url = '';