From b875b960addf9fc0b1d228d620e6e69338f4a2a9 Mon Sep 17 00:00:00 2001
From: Jappie Klooster <jappieklooster@hotmail.com>
Date: Tue, 19 Apr 2022 12:58:15 -0400
Subject: [PATCH] Escape X-Forwarded-Host header as well

It seems unlikely an attacker will actually manage
to insert a line break at that point.
But since this isn't a common code path.
We may as well escape it for HTML.
---
 ChangeLog.md   | 4 ++++
 Keter/Proxy.hs | 7 ++++++-
 keter.cabal    | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index c6284d5..9697ab8 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.8.3
+
++ HTML escape X-forwarded-host response as well.
+
 ## 1.8.2 
 
 + Fix XSS issue in the default response for host not found.
diff --git a/Keter/Proxy.hs b/Keter/Proxy.hs
index abd1d01..3346725 100644
--- a/Keter/Proxy.hs
+++ b/Keter/Proxy.hs
@@ -290,7 +290,12 @@ defaultUnknownHostBody host =
 unknownHostResponse :: ByteString -> ByteString -> Wai.Response
 unknownHostResponse host body = Wai.responseBuilder
     status200
-    [("Content-Type", "text/html; charset=utf-8"), ("X-Forwarded-Host", host)]
+    [("Content-Type", "text/html; charset=utf-8"),
+     ("X-Forwarded-Host",
+      -- if an attacker manages to insert line breaks somehow,
+      -- this is also vulnerable.
+      escapeHtml host
+     )]
     (copyByteString body)
 
 escapeHtml :: ByteString -> ByteString
diff --git a/keter.cabal b/keter.cabal
index 398835b..80cb95d 100644
--- a/keter.cabal
+++ b/keter.cabal
@@ -1,6 +1,6 @@
 Cabal-version:       >=1.10
 Name:                keter
-Version:             1.8.2
+Version:             1.8.3
 Synopsis:            Web application deployment manager, focusing on Haskell web frameworks
 Description:         Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/keter>.
 Homepage:            http://www.yesodweb.com/