From 187e204ce403e7aac0ea67348eaad012a68f10bb Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Tue, 19 Nov 2024 14:47:17 +0100
Subject: [PATCH] Clear out sensitive fake headers from client

We use the header dict to pass on non-header information to the
authentication plugins. Make sure an evil client isn't trying to sneak
something in that hasn't been verified by us.

Issue found by Kevin Rasmussen.
---
 websockify/websocketproxy.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/websockify/websocketproxy.py b/websockify/websocketproxy.py
index 141db88..5afec81 100644
--- a/websockify/websocketproxy.py
+++ b/websockify/websocketproxy.py
@@ -60,6 +60,12 @@ Traffic Legend:
         if not self.server.auth_plugin:
             return
 
+        # clear out any existing SSL_ headers that the client might
+        # have maliciously set
+        ssl_headers = [ h for h in self.headers if h.startswith('SSL_') ]
+        for h in ssl_headers:
+            del self.headers[h]
+
         try:
             # get client certificate data
             client_cert_data = self.request.getpeercert()