Skip to content
GitLab
Commit 597d64c9 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

:ambulance: fix(CSRFProtection) Split HTTP_X_FORWARDED_HOST to take only the first value 

If there are several proxies it may contain several values
 comma-separated

issue #5935
parent f44c2b8b
dev 6342-update-the-locales-for-1-5 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock 6378-orcid-test-method-is-wrong-and-break-orcid-saving core-php8 master fusiondirectory-1.5 fusiondirectory-1.4
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 1 deletion
+2 -1
include/class_CSRFProtection.inc
+ 2
1
View file @ 597d64c9
......@@ -56,7 +56,8 @@ class CSRFProtection
$origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
$target = FALSE;
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$target = $_SERVER['HTTP_X_FORWARDED_HOST'];
/* Only take the first value, there may be several separated by commas */
list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2);
} else
if (!empty($_SERVER['HTTP_HOST'])) {
$target = $_SERVER['HTTP_HOST'];
......
  • bmortier @bmortier

    mentioned in commit 343ee2ae

    By Côme Chilliet on 2018-12-18T13:55:27 (imported from GitLab)

     ·

    mentioned in commit 343ee2ae

    By Côme Chilliet on 2018-12-18T13:55:27 (imported from GitLab)

    Toggle commit list
  • bmortier @bmortier

    mentioned in merge request !478

    By Côme Chilliet on 2018-12-18T13:55:43 (imported from GitLab)

     ·

    mentioned in merge request !478

    By Côme Chilliet on 2018-12-18T13:55:43 (imported from GitLab)

    Toggle commit list
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment