21137: Tighten TestEndSessionEndpointBadScheme check

[arvados.git] / lib / controller / proxy.go

diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index 47b8cb47112ad5990d2f80dd23c72cf98fb85a70..26d1859ec874341af736dc9cd0b9ef3ca4a936cf 100644 (file)
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -45,6 +45,11 @@ var dropHeaders = map[string]bool{
 
        // Content-Length depends on encoding.
        "Content-Length": true,
+
+       // Defend against Rails vulnerability CVE-2023-22795 -
+       // we don't use this functionality anyway, so it costs us nothing.
+       // <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+       "If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)