HTTP_X_FORWARDED_HOST can be multi-valued with USE_X_FORWARDED_HOST
|Reported by:||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Hello! It turns out HTTP_X_FORWARDED_HOST can be multi-valued and separated with commas. This makes USE_X_FORWARDED_HOST + ALLOWED_HOSTS/get_host() unhappy, as it slurps the whole string into host.
The attached patch (and I'd appreciate any tips on how to do this as I don't really know how to submit patches) looks for a comma in HTTP_X_FORWARDED_HOST and pulls the first value into host.