gitlab-org--gitlab-foss/lib/support
Jacob Vosmaer 47b5b44139 Defend against 'Host' header injection
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17877 .

This change adds 'defense in depth' against 'Host' HTTP header
injection. It affects normal users in the following way. Suppose your
GitLab server has IP address 1.2.3.4 and hostname gitlab.example.com.
Currently, if you enter 1.2.3.4 in your browser, you get redirected to
1.2.3.4/users/sign_in. After this change, you get redirected from
1.2.3.4 to gitlab.example.com/users/sign_in. This is because the
address you typed in the address bar of your browser ('1.2.3.4'),
which gets stored in the 'Host' header, is now being overwritten to
'gitlab.example.com' in NGINX.

In this change we also make NGINX clear the 'X-Forwarded-Host' header
because Ruby on Rails also uses that header the same wayas the 'Host'
header.

We think that for most GitLab servers this is the right behavior, and
if not then administrators can change this behavior themselves at the
NGINX level.
2016-07-12 19:50:20 +02:00
..
deploy Fix typo 2015-03-14 10:22:06 +01:00
init.d Replace gitlab-workhorse with GitLab Workhorse where appropriate 2016-04-28 17:36:50 +03:00
logrotate Logrotate daily, keeping 90 days of old logs 2014-03-12 15:26:39 +01:00
nginx Defend against 'Host' header injection 2016-07-12 19:50:20 +02:00