New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ForwardedRequestCustomizer.setForwardedHostHeader(null)
has no effect in in Jetty 10.0.x
#7026
Comments
That is an unexpected use case. I hesitate to support this, as the Why do you do this? Anyway, there are 2 solutions I can think of for you to use today. 1. Exploiting HTTP Validation ForwardedRequestCustomizer forwardedCustomizer = new ForwardedRequestCustomizer();
forwardedCustomizer.setForwardedHostHeader("ignore : me"); This sets the header to something impossible to match. 2. Customized Solution Extend from the Server server = new Server();
HttpConfiguration httpConfiguration = new HttpConfiguration();
httpConfiguration.addCustomizer(new ForwardedRequestCustomizer() {
@Override
public String getForwardedHostHeader() {
return null;
}
});
ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfiguration));
connector.setPort(9999);
server.addConnector(connector); This breaks the binding of header field names to actions for that one header. I still want to know why you are ignoring the |
Thanks for the detailed answer. Extending the We chose to ignore the header because we wanted to prevent Host header attacks without having to rely on the load balancer being configured to remove an external While I agree that this is an unexpected use case, I still think that the current behavior is a bug. |
This issue has been automatically marked as stale because it has been a |
Addressed in Issue #7975 |
Jetty version(s)
10.0.6
Java version/vendor
(use: java -version)
openjdk 11.0.10 2021-01-19
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.10+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.10+9, mixed mode)
OS type/version
Debian GNU/Linux 10
Description
We use an embedded Jetty with a
ForwardedRequestCustomizer
. Because we want to ignore the X-Forwarded-Host header, we usedsetForwardedHostHeader(null)
. After updating from Jetty 9.4.x to 10.0.x, we noticed that this doesn't work anymore and the request host is updated with the host from X-Forwarded-Host.How to reproduce?
Start a server with a
ForwardedRequestCustomizer
andsetForwardedHostHeader(null)
:Send a request with X-Forwarded-Host:
curl http://localhost:8080/ -H 'X-Forwarded-Host: example.org'
The
ForwardedRequestCustomizer
will set the request URI to http://example.org/ (see https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java#L534).The text was updated successfully, but these errors were encountered: