Yuanhao Zhu created NIFI-16056:
----------------------------------

             Summary: X-Forwarded-Host could contain multiple comma-separated 
values
                 Key: NIFI-16056
                 URL: https://issues.apache.org/jira/browse/NIFI-16056
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 2.10.0
            Reporter: Yuanhao Zhu


When NiFi sits behind a chain of reverse proxies that each append to 
{{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd 
{{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a single 
field containing a comma-separated list, e.g.:

{{X-Forwarded-Host: host.example.com, host.example.com}}

{{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first 
field value and, after stripping a single trailing {{{}:port{}}}, compares the 
*entire string* against the request {{Host}} and the {{nifi.web.proxy.host}} 
allow-list. Because it does not split on comma, the value {{"host.example.com, 
host.example.com"}} is never found in the allow-list and the request is 
rejected with {*}HTTP 421 – Invalid Proxy Host Requested{*}, even though every 
individual value is a legitimate, allow-listed host.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to