X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cd4a811b896da640e5b8ddca7e515f19085932d4..f34a8d68bdd096cf1b019a9806bd1e6eba028d77:/lib/controller/proxy.go

diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index d7381860ea..26d1859ec8 100644
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -42,6 +42,14 @@ var dropHeaders = map[string]bool{
 	"Accept-Encoding":   true,
 	"Content-Encoding":  true,
 	"Transfer-Encoding": true,
+
+	// Content-Length depends on encoding.
+	"Content-Length": true,
+
+	// Defend against Rails vulnerability CVE-2023-22795 -
+	// we don't use this functionality anyway, so it costs us nothing.
+	// <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+	"If-None-Match": true,
 }
 
 type ResponseFilter func(*http.Response, error) (*http.Response, error)
@@ -60,10 +68,13 @@ func (p *proxy) Do(
 			hdrOut[k] = v
 		}
 	}
-	xff := reqIn.RemoteAddr
-	if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" {
-		xff = xffIn + "," + xff
+	xff := ""
+	for _, xffIn := range reqIn.Header["X-Forwarded-For"] {
+		if xffIn != "" {
+			xff += xffIn + ","
+		}
 	}
+	xff += reqIn.RemoteAddr
 	hdrOut.Set("X-Forwarded-For", xff)
 	if hdrOut.Get("X-Forwarded-Proto") == "" {
 		hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)