ProxyHeadersMiddleware does not handle multiple values of X-Forwarded-Proto header #2310
Unanswered
pmeier
asked this question in
Potential Issue
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
While the
X-Forwarded-*
headers are not standardized, the RFC 7239 states the following about theForwarded-*
headers, which are supposed to be a replacement for the former (see #2237):Meaning, the value cannot just be
http
orhttps
, but alsohttp,https
.Currently
ProxyHeadersMiddleware
just uses the value as is:uvicorn/uvicorn/middleware/proxy_headers.py
Lines 55 to 58 in 0efd383
When building a URL from this, i.e. by FastAPI / starlette, we are effectively doing
url = f"{scheme}://..."
.When trying to process this further,
starlette.datastructures.URL
provides thereplace
method, which allows users to replace parts of the URL. Internally this relies onurllib.parse.urlsplit
and the._replace
method of its result. However, in turn, this doesn't recognize the scheme and puts all the information into the path and ultimately losing the information:Contrast this with the case of a valid scheme:
We should process the header and only select one of the options for the scheme. For example, here is how Tornado is doing it:
I'm happy to provide a patch for this if we deem this an issue to be fixed.
Beta Was this translation helpful? Give feedback.
All reactions