From 680adb880be055d14139b8cb771b2a218305a490 Mon Sep 17 00:00:00 2001
From: Myles Horton <myles@getlantern.org>
Date: Fri, 20 Dec 2024 09:02:28 -0700
Subject: [PATCH] Simpler and actually correct x-forwarded-for fix (#641)

* Simpler and actually correct x-forwarded-for fix

* Change to overwrite forwarded for
---
 proxyfilters/forwardedfor.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/proxyfilters/forwardedfor.go b/proxyfilters/forwardedfor.go
index 64ce708c..64f7e8ee 100644
--- a/proxyfilters/forwardedfor.go
+++ b/proxyfilters/forwardedfor.go
@@ -3,7 +3,6 @@ package proxyfilters
 import (
 	"net"
 	"net/http"
-	"strings"
 
 	"github.com/getlantern/proxy/v3/filters"
 )
@@ -17,10 +16,12 @@ const (
 var AddForwardedFor = filters.FilterFunc(func(cs *filters.ConnectionState, req *http.Request, next filters.Next) (*http.Response, *filters.ConnectionState, error) {
 	if req.Method != http.MethodConnect {
 		if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-			if prior, ok := req.Header[xForwardedFor]; ok {
-				clientIP = strings.Join(prior, ", ") + ", " + clientIP
-			}
+			// Proxies are supposed to actually overwrite previous values, as they
+			// can be maliciously set by the client.
 			req.Header.Set(xForwardedFor, clientIP)
+		} else {
+			// If we can't parse the client IP, we should remove the header.
+			req.Header.Del(xForwardedFor)
 		}
 	}
 	return next(cs, req)