only trust last x-forwarded-proto entry

tornadoweb · Nov 10, 2017 · 80959e4 · 80959e4
1 parent 8d96557
commit 80959e4
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/tornado/httpserver.py b/tornado/httpserver.py
@@ -288,8 +288,9 @@ def _apply_xheaders(self, headers):
             "X-Scheme", headers.get("X-Forwarded-Proto",
                                     self.protocol))
         if proto_header:
-            # use the outermost proto entry if there is more than one
-            proto_header = proto_header.split(',')[0].strip()
+            # use only the last proto entry if there is more than one
+            # TODO: support trusting mutiple layers of proxied protocol
+            proto_header = proto_header.split(',')[-1].strip()
         if proto_header in ("http", "https"):
             self.protocol = proto_header
 

diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py
@@ -553,12 +553,12 @@ def test_scheme_headers(self):
         https_multi_forwarded = {"X-Forwarded-Proto": "https , http"}
         self.assertEqual(
             self.fetch_json("/", headers=https_multi_forwarded)["remote_protocol"],
-            "https")
+            "http")
 
         http_multi_forwarded = {"X-Forwarded-Proto": "http,https"}
         self.assertEqual(
             self.fetch_json("/", headers=http_multi_forwarded)["remote_protocol"],
-            "http")
+            "https")
 
         bad_forwarded = {"X-Forwarded-Proto": "unknown"}
         self.assertEqual(