Defend against 'Host' header injection
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17877 . This change adds 'defense in depth' against 'Host' HTTP header injection. It affects normal users in the following way. Suppose your GitLab server has IP address 184.108.40.206 and hostname gitlab.example.com. Currently, if you enter 220.127.116.11 in your browser, you get redirected to 18.104.22.168/users/sign_in. After this change, you get redirected from 22.214.171.124 to gitlab.example.com/users/sign_in. This is because the address you typed in the address bar of your browser ('126.96.36.199'), which gets stored in the 'Host' header, is now being overwritten to 'gitlab.example.com' in NGINX. In this change we also make NGINX clear the 'X-Forwarded-Host' header because Ruby on Rails also uses that header the same wayas the 'Host' header. We think that for most GitLab servers this is the right behavior, and if not then administrators can change this behavior themselves at the NGINX level.
Showing with 13 additions and 2 deletions