[security:medium] Headers are not deleted for unprotected or skip locations with nginx handler
Concerned version
Version: 2.0.9 Platform: CentOS 7 (or 8), nginx 1.19.3 (openresty build, to have lua support)
Summary
When defining a location with a unprotect rule, I expect that :
- For authenticated users, exported headers are added to the request
- For unauthenticated user, exported headers are cleared before passing the request to the backend, to prevent unauthenticated to send arbitrary headers and fake authenticated one
This used to work as expected, when I was using apache handler (in the 1.2 era). I've just tested it again, but now I'm running the handler with nginx. Headers are not removed for unauthenticated users requests. So, for example, if the backend app recognizes users by the mean of the Auth-User header, an unauthenticated user can just send this header with any valid user name, and the app will recognize it.
(Restricting access to this bug as it's a potential serious security issue)