From: Min RK <benjaminrk@gmail.com>
Date: Thu, 16 Nov 2017 03:21:52 +0000 (+0100)
Subject: handle multiple values in X-Forwarded-Proto (#2162)
X-Git-Tag: v5.0.0~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5fcfb4277514ff82e2d3b17a24a26ed505b8d453;p=thirdparty%2Ftornado.git

handle multiple values in X-Forwarded-Proto (#2162)
---

diff --git a/tornado/httpserver.py b/tornado/httpserver.py
index 8921a051f..da755f846 100644
--- a/tornado/httpserver.py
+++ b/tornado/httpserver.py
@@ -287,6 +287,10 @@ class _HTTPRequestContext(object):
         proto_header = headers.get(
             "X-Scheme", headers.get("X-Forwarded-Proto",
                                     self.protocol))
+        if proto_header:
+            # use only the last proto entry if there is more than one
+            # TODO: support trusting mutiple layers of proxied protocol
+            proto_header = proto_header.split(',')[-1].strip()
         if proto_header in ("http", "https"):
             self.protocol = proto_header
 
diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py
index 2f9e9094a..1b1286022 100644
--- a/tornado/test/httpserver_test.py
+++ b/tornado/test/httpserver_test.py
@@ -550,6 +550,16 @@ class XHeaderTest(HandlerBaseTestCase):
             self.fetch_json("/", headers=https_forwarded)["remote_protocol"],
             "https")
 
+        https_multi_forwarded = {"X-Forwarded-Proto": "https , http"}
+        self.assertEqual(
+            self.fetch_json("/", headers=https_multi_forwarded)["remote_protocol"],
+            "http")
+
+        http_multi_forwarded = {"X-Forwarded-Proto": "http,https"}
+        self.assertEqual(
+            self.fetch_json("/", headers=http_multi_forwarded)["remote_protocol"],
+            "https")
+
         bad_forwarded = {"X-Forwarded-Proto": "unknown"}
         self.assertEqual(
             self.fetch_json("/", headers=bad_forwarded)["remote_protocol"],