Gateway plugin security fix.

ideal-world · Mar 26, 2024 · edde2b9 · edde2b9
1 parent d390697
commit edde2b9
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/support/auth/src/serv/auth_kernel_serv.rs b/support/auth/src/serv/auth_kernel_serv.rs
@@ -57,6 +57,9 @@ fn check(req: &mut AuthReq) -> TardisResult<bool> {
 }
 
 async fn ident(req: &mut AuthReq, config: &AuthConfig, cache_client: &TardisCacheClient) -> TardisResult<AuthContext> {
+    // Do not allow external header information to be used internally
+    req.headers.remove(&config.head_key_auth_ident);
+
     let rbum_kind = if let Some(rbum_kind) = req.headers.get(&config.head_key_protocol).or_else(|| req.headers.get(&config.head_key_protocol.to_lowercase())) {
         rbum_kind.to_string()
     } else {