From 47b5b441395921e9f8e9982bb3f560e5db5a67bc Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <jacob@gitlab.com>
Date: Tue, 12 Jul 2016 17:22:10 +0200
Subject: Defend against 'Host' header injection

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17877 .

This change adds 'defense in depth' against 'Host' HTTP header
injection. It affects normal users in the following way. Suppose your
GitLab server has IP address 1.2.3.4 and hostname gitlab.example.com.
Currently, if you enter 1.2.3.4 in your browser, you get redirected to
1.2.3.4/users/sign_in. After this change, you get redirected from
1.2.3.4 to gitlab.example.com/users/sign_in. This is because the
address you typed in the address bar of your browser ('1.2.3.4'),
which gets stored in the 'Host' header, is now being overwritten to
'gitlab.example.com' in NGINX.

In this change we also make NGINX clear the 'X-Forwarded-Host' header
because Ruby on Rails also uses that header the same wayas the 'Host'
header.

We think that for most GitLab servers this is the right behavior, and
if not then administrators can change this behavior themselves at the
NGINX level.
---
 lib/support/nginx/gitlab     | 7 ++++++-
 lib/support/nginx/gitlab-ssl | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

(limited to 'lib/support/nginx')

diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab
index d521de28e8a..4a4892a2e07 100644
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@@ -49,7 +49,12 @@ server {
 
     proxy_http_version 1.1;
 
-    proxy_set_header    Host                $http_host;
+    ## By overwriting Host and clearing X-Forwarded-Host we ensure that
+    ## internal HTTP redirects generated by GitLab always send users to
+    ## YOUR_SERVER_FQDN.
+    proxy_set_header    Host                YOUR_SERVER_FQDN;
+    proxy_set_header    X-Forwarded-Host    "";
+
     proxy_set_header    X-Real-IP           $remote_addr;
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
     proxy_set_header    X-Forwarded-Proto   $scheme;
diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl
index bf014b56cf6..0b93d7f292f 100644
--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -93,7 +93,12 @@ server {
 
     proxy_http_version 1.1;
 
-    proxy_set_header    Host                $http_host;
+    ## By overwriting Host and clearing X-Forwarded-Host we ensure that
+    ## internal HTTP redirects generated by GitLab always send users to
+    ## YOUR_SERVER_FQDN.
+    proxy_set_header    Host                YOUR_SERVER_FQDN;
+    proxy_set_header    X-Forwarded-Host    "";
+
     proxy_set_header    X-Real-IP           $remote_addr;
     proxy_set_header    X-Forwarded-Ssl     on;
     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-- 
cgit v1.2.1