528201 - buglist.cgi post-2-get redirect did not work behind reverse proxy - misuse of HTTP_X_FORWARDED_HOST

Status: RESOLVED DUPLICATE of bug 509303

(Bugzilla :: Query/Bug List, defect)

Description

[Hendrik Harms]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.14) Gecko/2009090216 Ubuntu/8.04 (hardy) Firefox/3.0.14
Build Identifier: Bugzilla 3.4.3

when buglist.cgi receives a POST request (send by query.cgi) it generates a redirect to itself to transform the request to a simple GET request. The redirecting url was generated by using the CGI.pm of the installed perl environment. If this CGI.pm finds the header HTTP_X_FORWARDED_HOST it will place it into the redirection url. 

Reproducible: Always

Steps to Reproduce:
This causes a problem in the following reverse proxy setup:

Reverse Proxy:
  https://mycompany.com/
  has this config:
    ProxyPass  /bugzilla  http://mybugzilla.localnet.me:8080/bugzilla
    ProxyPassReverse /    http://mybugzilla.localnet.me:8080/

  there is a firewall between mycompany.com and the localnet.me
  the browser could not see the mybugzilla server directly

by starting an search via query.cgi a POST request like this is send:
> POST https://mycompany.com/bugzilla/buglist.cgi HTTP/1.1
Actual Results:  
the resonse to this request is a redirect with following location line:
> Location: http://mycompany.com:8080/bugzilla/buglist.cgi?query_format=adv...

CGI.pm replaces the server name by the header HTTP_X_FORWARED_HOST.

This location could be translated by a special ReverseProxyPass configuration, but I don't think that this is the right way to fix this.

Expected Results:  
the resonse should be a redirect with a location line like this:
> Location: http://mybugzilla.localnet.me/bugzilla/buglist.cgi?query_format=ad..

Comment 1

[Hendrik Harms]

expected result should also contain the port: 
Location: http://mybugzilla.localnet.me:8080/bugzilla/buglist.cgi?query_fo...