Yuanhao Zhu created NIFI-16056:
----------------------------------
Summary: X-Forwarded-Host could contain multiple comma-separated
values
Key: NIFI-16056
URL: https://issues.apache.org/jira/browse/NIFI-16056
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 2.10.0
Reporter: Yuanhao Zhu
When NiFi sits behind a chain of reverse proxies that each append to
{{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd
{{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a single
field containing a comma-separated list, e.g.:
{{X-Forwarded-Host: host.example.com, host.example.com}}
{{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first
field value and, after stripping a single trailing {{{}:port{}}}, compares the
*entire string* against the request {{Host}} and the {{nifi.web.proxy.host}}
allow-list. Because it does not split on comma, the value {{"host.example.com,
host.example.com"}} is never found in the allow-list and the request is
rejected with {*}HTTP 421 – Invalid Proxy Host Requested{*}, even though every
individual value is a legitimate, allow-listed host.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)