Skip to content

Commit

Permalink
Prevent header deception under NoAuth=true
Browse files Browse the repository at this point in the history
  • Loading branch information
Jipok committed Feb 11, 2024
1 parent 0c1d31c commit d8a3112
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions auth-handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,15 +257,18 @@ func buildAuthHandler(handler http.Handler) http.Handler {
// Add suffix if present
username = username + domains[req.Host].UserSuffix
// Set proper header
req.Header.Add("Remote-User", username)
req.Header.Add("X-Forwarded-User", username)
req.Header.Set("Remote-User", username)
req.Header.Set("X-Forwarded-User", username)
// Passing the modified request to the reverse proxy
handler.ServeHTTP(w, req)
return
}
}
// Does the site need our authorization?
if domainNoAuth[req.Host] {
// Preventing deception
req.Header.Del("Remote-User")
req.Header.Del("X-Forwarded-User")
handler.ServeHTTP(w, req)
return
}
Expand Down

0 comments on commit d8a3112

Please sign in to comment.