fix: сorrect handling of multiple X-Forwarded-Host values

Only the first host is considered according to RFC 7239 Signed-off-by: s.v.churanov <s.v.churanov@tbank.ru>
2026-01-26 12:01:57 +03:00 · 2026-01-26 12:01:57 +03:00 · e94545eec0
parent 3a55dadbe8
commit e94545eec0
2 changed files with 16 additions and 0 deletions
--- a/pkg/requests/util/util.go
+++ b/pkg/requests/util/util.go
@ -30,6 +30,12 @@ func GetRequestHost(req *http.Request) string {
 	host := req.Header.Get(XForwardedHost)
 	if !IsProxied(req) || host == "" {
 		host = req.Host
+	} else {
+		// Handle multiple hosts in X-Forwarded-Host (comma-separated)
+		// Take only the first host as per RFC 7239
+		if hosts := strings.Split(host, ","); len(hosts) > 0 {
+			host = strings.TrimSpace(hosts[0])
+		}
 	}
 	return host
 }
--- a/pkg/requests/util/util_test.go
+++ b/pkg/requests/util/util_test.go
@ -59,6 +59,16 @@ var _ = Describe("Util Suite", func() {
 				req.Header.Add("X-Forwarded-Host", "external.oauth2proxy.text")
 				Expect(util.GetRequestHost(req)).To(Equal("external.oauth2proxy.text"))
 			})
+
+			It("returns the first X-Forwarded-Host when multiple hosts are present", func() {
+				req.Header.Add("X-Forwarded-Host", "first.host,second.host,third.host")
+				Expect(util.GetRequestHost(req)).To(Equal("first.host"))
+			})
+
+			It("returns the first X-Forwarded-Host when multiple hosts are present with extra spaces", func() {
+				req.Header.Add("X-Forwarded-Host", "  first.host  ,  second.host  ,  third.host  ")
+				Expect(util.GetRequestHost(req)).To(Equal("first.host"))
+			})
 		})
 	})