diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2020-04-29 11:00:23 -0700 |
---|---|---|
committer | Brad Fitzpatrick <bradfitz@golang.org> | 2020-04-30 14:41:10 +0000 |
commit | ecdbffd4ec68b509998792f120868fec319de59b (patch) | |
tree | c9bcbcdc2b4d29c92e15fcf640e8b6eae4af6b5a /src/net/http/httputil/reverseproxy.go | |
parent | 1d9801223eb0693af64d2bc8c23c910ce7f18b16 (diff) | |
download | go-ecdbffd4ec68b509998792f120868fec319de59b.tar.gz go-ecdbffd4ec68b509998792f120868fec319de59b.zip |
net/http/httputil: don't append to X-Forwarded-For in ReverseProxy when nil
Fixes #38079
Change-Id: Iac02d7f9574061bb26d1d9a41bb6ee6cc38934e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/230937
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Diffstat (limited to 'src/net/http/httputil/reverseproxy.go')
-rw-r--r-- | src/net/http/httputil/reverseproxy.go | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go index eb17bef979..6e5bc4753e 100644 --- a/src/net/http/httputil/reverseproxy.go +++ b/src/net/http/httputil/reverseproxy.go @@ -25,10 +25,15 @@ import ( // sends it to another server, proxying the response back to the // client. // -// ReverseProxy automatically sets the client IP as the value of the +// ReverseProxy by default sets the client IP as the value of the // X-Forwarded-For header. +// // If an X-Forwarded-For header already exists, the client IP is -// appended to the existing values. +// appended to the existing values. As a special case, if the header +// exists in the Request.Header map but has a nil value (such as when +// set by the Director func), the X-Forwarded-For header is +// not modified. +// // To prevent IP spoofing, be sure to delete any pre-existing // X-Forwarded-For header coming from the client or // an untrusted proxy. @@ -248,10 +253,14 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { // If we aren't the first proxy retain prior // X-Forwarded-For information as a comma+space // separated list and fold multiple headers into one. - if prior, ok := outreq.Header["X-Forwarded-For"]; ok { + prior, ok := outreq.Header["X-Forwarded-For"] + omit := ok && prior == nil // Issue 38079: nil now means don't populate the header + if len(prior) > 0 { clientIP = strings.Join(prior, ", ") + ", " + clientIP } - outreq.Header.Set("X-Forwarded-For", clientIP) + if !omit { + outreq.Header.Set("X-Forwarded-For", clientIP) + } } res, err := transport.RoundTrip(outreq) |