WebAPI: fix validating wrong header field. Closes #7311.

X-Forwarded-Host is a foreign proxy setting, it isn't the same as qbt's local setting and thus it makes no sense to verify it.
2024-11-26 19:26:59 +03:00 · 2017-08-20 21:46:41 +08:00 · 2017-08-20 21:46:41 +08:00 · 9ef1e32327
commit 9ef1e32327
parent 173f6fd75d
1 changed files with 1 additions and 2 deletions
--- a/src/webui/abstractwebapplication.cpp
+++ b/src/webui/abstractwebapplication.cpp
@ -420,8 +420,7 @@ bool AbstractWebApplication::isCrossSiteRequest(const Http::Request &request) co

 bool AbstractWebApplication::validateHostHeader(const Http::Request &request, const Http::Environment &env, const QStringList &domains) const
 {
-    const QUrl hostHeader = QUrl::fromUserInput(
-                                request.headers.value(Http::HEADER_X_FORWARDED_HOST, request.headers.value(Http::HEADER_HOST)));
+    const QUrl hostHeader = QUrl::fromUserInput(request.headers.value(Http::HEADER_HOST));

    // (if present) try matching host header's port with local port
    const int requestPort = hostHeader.port();