Support multiple hosts in X-Forwarded-Host

iconoeugen · dougwilson · commit b93ffd4bdc09 · 2018-10-28T15:58:25.000-04:00
fixes #3494 closes #3495
diff --git a/History.md b/History.md
@@ -3,6 +3,7 @@ unreleased
 
   * Improve error message for non-strings to `res.sendFile`
   * Improve error message for `null`/`undefined` to `res.status`
+  * Support multiple hosts in `X-Forwarded-Host`
 
 4.16.4 / 2018-10-10
 ===================
diff --git a/lib/request.js b/lib/request.js
@@ -430,6 +430,10 @@ defineGetter(req, 'hostname', function hostname(){
 
   if (!host || !trust(this.connection.remoteAddress, 0)) {
     host = this.get('Host');
+  } else if (host.indexOf(',') !== -1) {
+    // Note: X-Forwarded-Host is normally only ever a
+    //       single value, but this is to be safe.
+    host = host.substring(0, host.indexOf(',')).trimRight()
   }
 
   if (!host) return;
diff --git a/test/req.hostname.js b/test/req.hostname.js
@@ -116,6 +116,56 @@ describe('req', function(){
         .set('Host', 'example.com')
         .expect('example.com', done);
       })
+
+      describe('when multiple X-Forwarded-Host', function () {
+        it('should use the first value', function (done) {
+          var app = express()
+
+          app.enable('trust proxy')
+
+          app.use(function (req, res) {
+            res.send(req.hostname)
+          })
+
+          request(app)
+          .get('/')
+          .set('Host', 'localhost')
+          .set('X-Forwarded-Host', 'example.com, foobar.com')
+          .expect(200, 'example.com', done)
+        })
+
+        it('should remove OWS around comma', function (done) {
+          var app = express()
+
+          app.enable('trust proxy')
+
+          app.use(function (req, res) {
+            res.send(req.hostname)
+          })
+
+          request(app)
+          .get('/')
+          .set('Host', 'localhost')
+          .set('X-Forwarded-Host', 'example.com , foobar.com')
+          .expect(200, 'example.com', done)
+        })
+
+        it('should strip port number', function (done) {
+          var app = express()
+
+          app.enable('trust proxy')
+
+          app.use(function (req, res) {
+            res.send(req.hostname)
+          })
+
+          request(app)
+          .get('/')
+          .set('Host', 'localhost')
+          .set('X-Forwarded-Host', 'example.com:8080 , foobar.com:8888')
+          .expect(200, 'example.com', done)
+        })
+      })
     })
 
     describe('when "trust proxy" is disabled', function(){

Original file line number	Diff line number	Diff line change
`@@ -430,6 +430,10 @@ defineGetter(req, 'hostname', function hostname(){`
`430`	`430`
`431`	`431`	`if (!host \|\| !trust(this.connection.remoteAddress, 0)) {`
`432`	`432`	`host = this.get('Host');`
	`433`	`+ } else if (host.indexOf(',') !== -1) {`
	`434`	`+ // Note: X-Forwarded-Host is normally only ever a`
	`435`	`+ // single value, but this is to be safe.`
	`436`	`+ host = host.substring(0, host.indexOf(',')).trimRight()`
`433`	`437`	`}`
`434`	`438`
`435`	`439`	`if (!host) return;`