Account for comma separated host values on X-Forwarded-Host #29
Description
Account for common separated host values on X-Forwarded-Host
It doesn't seem that the spec specifically says that you can have more than one value, but in practice, it happens. We should account for it.
This was seen in the field.
Caused by: java.net.URISyntaxException: Illegal character in authority at index 7: http://{redacted}, {redacted} at java.base/java.net.URI$Parser.fail(URI.java:2976) at java.base/java.net.URI$Parser.parseAuthority(URI.java:3310) at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3221) at java.base/java.net.URI$Parser.parse(URI.java:3177) at java.base/java.net.URI.<init>(URI.java:623) at java.base/java.net.URI.create(URI.java:904) ... 28 common frames omitted 2025-01-27 4:19:52.629 PM ERROR c.inversoft.cleanspeak.primeframework.mvc.error.ExceptionExceptionHandler - An unhandled exception was thrown java.lang.IllegalArgumentException: Illegal character in authority at index 7: http://{redacted}, f{redacted} at java.base/java.net.URI.create(URI.java:906) at org.primeframework.mvc.security.UserLoginSecurityScheme.handle(UserLoginSecurityScheme.java:83) Related
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
- Handle multiple hosts in X-Forwarded-Host header gorilla/handlers#205
- The "X-Forwarded-Host" header may contain multiple values prerender/prerender-node#184