From edde2b98568a67ccdc969072b3546cc36624d3c0 Mon Sep 17 00:00:00 2001
From: gudaoxuri <i@sunisle.org>
Date: Tue, 26 Mar 2024 22:30:13 +0800
Subject: [PATCH] Gateway plugin security fix.

---
 support/auth/src/serv/auth_kernel_serv.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/auth/src/serv/auth_kernel_serv.rs b/support/auth/src/serv/auth_kernel_serv.rs
index 22ab7d171..d6a790c22 100644
--- a/support/auth/src/serv/auth_kernel_serv.rs
+++ b/support/auth/src/serv/auth_kernel_serv.rs
@@ -57,6 +57,9 @@ fn check(req: &mut AuthReq) -> TardisResult<bool> {
 }
 
 async fn ident(req: &mut AuthReq, config: &AuthConfig, cache_client: &TardisCacheClient) -> TardisResult<AuthContext> {
+    // Do not allow external header information to be used internally
+    req.headers.remove(&config.head_key_auth_ident);
+
     let rbum_kind = if let Some(rbum_kind) = req.headers.get(&config.head_key_protocol).or_else(|| req.headers.get(&config.head_key_protocol.to_lowercase())) {
         rbum_kind.to_string()
     } else {