From b3b971480f58756d6d832589f9adfd91f3521480 Mon Sep 17 00:00:00 2001
From: Asher <ash@coder.com>
Date: Wed, 17 May 2023 11:51:05 -0800
Subject: [PATCH] Support X-Forwarded-Host with multiple hosts

Closes #6215.
---
 src/node/http.ts            | 8 ++++++--
 test/unit/node/http.test.ts | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/node/http.ts b/src/node/http.ts
index 0d9e2f6f1..742ff0f17 100644
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -386,10 +386,14 @@ function getHost(req: express.Request): string | undefined {
     }
   }
 
-  // Honor X-Forwarded-Host if present.
+  // Honor X-Forwarded-Host if present.  Some reverse proxies will set multiple
+  // comma-separated hosts.
   const xHost = getFirstHeader(req, "x-forwarded-host")
   if (xHost) {
-    return xHost.trim().toLowerCase()
+    const firstXHost = xHost.split(",")[0]
+    if (firstXHost) {
+      return firstXHost.trim().toLowerCase()
+    }
   }
 
   const host = getFirstHeader(req, "host")
diff --git a/test/unit/node/http.test.ts b/test/unit/node/http.test.ts
index d9f0271e3..59a09dc87 100644
--- a/test/unit/node/http.test.ts
+++ b/test/unit/node/http.test.ts
@@ -58,6 +58,7 @@ describe("http", () => {
       ;[
         ["host", test.host],
         ["x-forwarded-host", test.host],
+        ["x-forwarded-host", `${test.host}, ${test.host}`],
         ["forwarded", `for=127.0.0.1, host=${test.host}, proto=http`],
         ["forwarded", `for=127.0.0.1;proto=http;host=${test.host}`],
         ["forwarded", `proto=http;host=${test.host}, for=127.0.0.1`],