caddyhttp: Sanitize scheme and host on incoming requests

caddyserver · Aug 20, 2021 · 98762fb · 98762fb
1 parent a056fcd
commit 98762fb
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
@@ -555,6 +555,14 @@ func (slc ServerLogConfig) getLoggerName(host string) string {
 // PrepareRequest fills the request r for use in a Caddy HTTP handler chain. w and s can
 // be nil, but the handlers will lose response placeholders and access to the server.
 func PrepareRequest(r *http.Request, repl *caddy.Replacer, w http.ResponseWriter, s *Server) *http.Request {
+	// sanitize the request URL; we expect it to not contain the scheme and host
+	// since those should be determined by r.TLS and r.Host respectively, but
+	// some clients may include it in the request-line, which is technically
+	// valid in HTTP, but breaks various expectations, for example when copying
+	// the URL to be used by the reverseproxy module.
+	r.URL.Scheme = ""
+	r.URL.Host = ""
+
 	// set up the context for the request
 	ctx := context.WithValue(r.Context(), caddy.ReplacerCtxKey, repl)
 	ctx = context.WithValue(ctx, ServerCtxKey, s)