fix: Proxy: do not trust input - always set own value for 'X-Origin-I…

…P' (#354) An external packet received by the proxy can have any value in 'X-Origin-IP' - we can't trust it, it's best to set it on our own Signed-off-by: Alexander Piskun <[email protected]>
nextcloud · Aug 7, 2024 · 1554fc8 · 1554fc8
1 parent dc7de14
commit 1554fc8
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
@@ -255,17 +255,16 @@ private function buildHeadersWithExclude(ExApp $exApp, string $exAppRoute, array
 				break;
 			}
 		}
-		if (empty($headersToExclude)) {
-			return $headers;
+		if (!in_array('x-origin-ip', $headersToExclude)) {
+			$headersToExclude[] = 'x-origin-ip';
 		}
+		$headersToExclude[] = 'authorization-app-api';
 		foreach ($headers as $key => $value) {
 			if (in_array(strtolower($key), $headersToExclude)) {
 				unset($headers[$key]);
 			}
 		}
-		if (!isset($headers['X-Origin-IP'])) {
-			$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
-		}
+		$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
 		return $headers;
 	}
 }