account for multiple host headers, add test for non-default port

lib/pleroma/web/plugs/ensure_host_plug.ex

@@ -20,6 +20,12 @@ defmodule Pleroma.Web.Plugs.EnsureHostPlug do
       [host] ->
         handle_host_header(host, conn)
 
+      [_host | _more] ->
+        conn
+        |> put_status(:bad_request)
+        |> text("Bad host header")
+        |> halt()
+
       [] ->
         handle_host_header(nil, conn)
     end
@@ -41,7 +47,7 @@ defmodule Pleroma.Web.Plugs.EnsureHostPlug do
     end
   end
 
-  defp handle_host_header(_, conn) do
+  defp handle_host_header(nil, conn) do
     conn
     |> put_status(:bad_request)
     |> text("Host header not present")

test/pleroma/web/plugs/ensure_host_plug_test.exs

@@ -74,6 +74,21 @@ defmodule Pleroma.Web.Plugs.EnsureHostPlugTest do
       end
     end
 
+    test "rejects a request where the hostname matches and there is no port, and we do not run on the default",
+         %{conn: conn} do
+      url = Pleroma.Web.Endpoint.struct_url()
+
+      conn =
+        conn
+        |> put_host_header(url.host)
+        |> EnsureHostPlug.call(%{})
+
+      assert conn.halted == true
+      assert conn.status == 400
+      assert conn.state == :sent
+      assert conn.resp_body == "Host header does not match"
+    end
+
     test "accepts a request where the hostname matches, with a port", %{conn: conn} do
       %{host: host, port: port} = Pleroma.Web.Endpoint.struct_url()
 
@@ -84,5 +99,20 @@ defmodule Pleroma.Web.Plugs.EnsureHostPlugTest do
 
       assert conn.halted == false
     end
+
+    test "rejects a request with multiple host headers", %{conn: conn} do
+      url = Pleroma.Web.Endpoint.struct_url()
+
+      conn =
+        conn
+        |> put_host_header(url.host)
+        |> put_host_header("example.com")
+        |> EnsureHostPlug.call(%{})
+
+      assert conn.halted == true
+      assert conn.status == 400
+      assert conn.state == :sent
+      assert conn.resp_body == "Bad host header"
+    end
   end
 end