From 1554fc82da654204c35723b0ff947b721a036c71 Mon Sep 17 00:00:00 2001
From: Alexander Piskun <13381981+bigcat88@users.noreply.github.com>
Date: Wed, 7 Aug 2024 13:23:16 +0300
Subject: [PATCH] fix: Proxy: do not trust input - always set own value for
 'X-Origin-IP' (#354)

An external packet received by the proxy can have any value in
'X-Origin-IP' - we can't trust it, it's best to set it on our own

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
---
 lib/Controller/ExAppProxyController.php | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/Controller/ExAppProxyController.php b/lib/Controller/ExAppProxyController.php
index cdd9675a..78be5321 100644
--- a/lib/Controller/ExAppProxyController.php
+++ b/lib/Controller/ExAppProxyController.php
@@ -255,17 +255,16 @@ private function buildHeadersWithExclude(ExApp $exApp, string $exAppRoute, array
 				break;
 			}
 		}
-		if (empty($headersToExclude)) {
-			return $headers;
+		if (!in_array('x-origin-ip', $headersToExclude)) {
+			$headersToExclude[] = 'x-origin-ip';
 		}
+		$headersToExclude[] = 'authorization-app-api';
 		foreach ($headers as $key => $value) {
 			if (in_array(strtolower($key), $headersToExclude)) {
 				unset($headers[$key]);
 			}
 		}
-		if (!isset($headers['X-Origin-IP'])) {
-			$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
-		}
+		$headers['X-Origin-IP'] = $this->request->getRemoteAddress();
 		return $headers;
 	}
 }