From c3d692ac5130a5c6f2ab0d89beb22c3b981630e2 Mon Sep 17 00:00:00 2001
From: Rutger Broekhoff
Date: Wed, 24 Jan 2024 20:25:31 +0100
Subject: Use X-Forwarded-Host instead of X-Forwarded-For

---
 server/src/main.rs | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/server/src/main.rs b/server/src/main.rs
index 9826873..0f12c8f 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -722,20 +722,19 @@ struct AuthorizationConfig {
 
 struct Trusted(bool);
 
-fn forwarded_for_trusted_host(
+fn forwarded_from_trusted_host(
     headers: &HeaderMap,
     trusted: &HashSet<String>,
 ) -> Result<bool, GitLfsErrorResponse<'static>> {
-    println!("Trusted: {:?}, headers: {:?}", trusted, headers);
-    if let Some(forwarded_for) = headers.get("X-Forwarded-For") {
-        if let Ok(forwarded_for) = forwarded_for.to_str() {
-            if trusted.contains(forwarded_for) {
+    if let Some(forwarded_host) = headers.get("X-Forwarded-Host") {
+        if let Ok(forwarded_host) = forwarded_host.to_str() {
+            if trusted.contains(forwarded_host) {
                 return Ok(true);
             }
         } else {
             return Err(make_error_resp(
                 StatusCode::NOT_FOUND,
-                "Invalid X-Forwarded-For header",
+                "Invalid X-Forwarded-Host header",
             ));
         }
     }
@@ -765,7 +764,7 @@ fn authorize_batch(
         return Ok(Trusted(true));
     }
 
-    let trusted = forwarded_for_trusted_host(headers, &conf.trusted_forwarded_hosts)?;
+    let trusted = forwarded_from_trusted_host(headers, &conf.trusted_forwarded_hosts)?;
     if operation != common::Operation::Download {
         if trusted {
             return Err(make_error_resp(
-- 
cgit v1.2.3