From 927ee80da12321dec15145f1215383b276fa8d41 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Thu, 18 Mar 2021 13:22:28 +0100
Subject: [PATCH] Stop reading X-Forwarded-Port

X-Forwarded-Port contains the destination port, not the source port,
so it isn't useful for our purposes.

Move parsing of X-Forwarded-* header fields to parseForwarded.
---
 server.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/server.go b/server.go
index c44f7df..e284acd 100644
--- a/server.go
+++ b/server.go
@@ -212,17 +212,13 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		}
 	}
 
-	// Only trust X-Forwarded-* header fields if this is a trusted proxy IP
+	// Only trust the Forwarded header field if this is a trusted proxy IP
 	// to prevent users from spoofing the remote address
 	remoteAddr := req.RemoteAddr
 	if isProxy {
 		forwarded := parseForwarded(req.Header)
-		forwardedHost := req.Header.Get("X-Forwarded-For")
-		forwardedPort := req.Header.Get("X-Forwarded-Port")
 		if forwarded["for"] != "" {
 			remoteAddr = forwarded["for"]
-		} else if forwardedHost != "" && forwardedPort != "" {
-			remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
 		}
 	}
 
@@ -232,7 +228,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 func parseForwarded(h http.Header) map[string]string {
 	forwarded := h.Get("Forwarded")
 	if forwarded == "" {
-		return nil
+		return map[string]string{
+			"for":   h.Get("X-Forwarded-For"),
+			"proto": h.Get("X-Forwarded-Proto"),
+			"host":  h.Get("X-Forwarded-Host"),
+		}
 	}
 	// Hack to easily parse header parameters
 	_, params, _ := mime.ParseMediaType("hack; " + forwarded)