From 4931f30a8040a4b10db0535ec5d111c68e2b8515 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@debian.org>
Date: Thu, 26 Oct 2017 19:00:43 +0200
Subject: [PATCH] authproxy.md: strip X-Remote-User

follow-up for https://github.com/coreos/dex/pull/1100
---
 Documentation/authproxy.md | 13 +++++++++++++
 server/server.go           | 12 +++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/Documentation/authproxy.md b/Documentation/authproxy.md
index 10ff1980..c0771856 100644
--- a/Documentation/authproxy.md
+++ b/Documentation/authproxy.md
@@ -25,6 +25,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
 configuration will work for Apache 2.4.10+:
 
 ```
+<Location /dex/>
+    ProxyPass "http://localhost:5556/dex/"
+    ProxyPassReverse "http://localhost:5556/dex/"
+
+    # Strip the X-Remote-User header from all requests except for the ones
+    # where we override it.
+    RequestHeader unset X-Remote-User
+</Location>
+
 <Location /dex/callback/myBasicAuth>
     AuthType Basic
     AuthName "db.debian.org webPassword"
@@ -62,6 +71,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
     <Location /dex/>
         ProxyPass "http://localhost:5556/dex/"
         ProxyPassReverse "http://localhost:5556/dex/"
+
+        # Strip the X-Remote-User header from all requests except for the ones
+        # where we override it.
+        RequestHeader unset X-Remote-User
     </Location>
 
     <Location /dex/callback/myBasicAuth>
diff --git a/server/server.go b/server/server.go
index d1e1ff56..65de3b83 100644
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	handleWithCORS("/keys", s.handlePublicKeys)
 	handleFunc("/auth", s.handleAuthorization)
 	handleFunc("/auth/{connector}", s.handleConnectorLogin)
-	handleFunc("/callback", s.handleConnectorCallback)
+	r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
+		// Strip the X-Remote-* headers to prevent security issues on
+		// misconfigured authproxy connector setups.
+		for key := range r.Header {
+			if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
+				r.Header.Del(key)
+			}
+		}
+		s.handleConnectorCallback(w, r)
+	})
 	// For easier connector-specific web server configuration, e.g. for the
 	// "authproxy" connector.
 	handleFunc("/callback/{connector}", s.handleConnectorCallback)