From a6c6127e3372d9b47d84a4cd574d52d2971c7bb8 Mon Sep 17 00:00:00 2001
From: Filip Kszczot <filip@szczot3k.pl>
Date: Tue, 28 Jul 2020 01:02:03 +0200
Subject: [PATCH 1/4] spelling(docs/content/routing/providers/docker.md)

---
 docs/content/https/acme.md               | 2 +-
 docs/content/routing/providers/docker.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md
index f07cf410d..4cca2ec62 100644
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -362,7 +362,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
 
 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
diff --git a/docs/content/routing/providers/docker.md b/docs/content/routing/providers/docker.md
index e19aafaa5..99128c188 100644
--- a/docs/content/routing/providers/docker.md
+++ b/docs/content/routing/providers/docker.md
@@ -535,7 +535,7 @@ You can declare UDP Routers and/or Services using labels.
          my-container:
            # ...
            labels:
-             - "traefik.udp.routers.my-router.entrypoint=udp"
+             - "traefik.udp.routers.my-router.entrypoints=udp"
              - "traefik.udp.services.my-service.loadbalancer.server.port=4123"
     ```
 

From e63db782c11c7b8bfce30be4c902e7ef8f9f33d2 Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Tue, 28 Jul 2020 10:08:03 +0200
Subject: [PATCH 2/4] fix: clean X-Forwarded-Prefix header for the dashboard.

---
 pkg/api/dashboard.go      | 23 +++++++++++++++--
 pkg/api/dashboard_test.go | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 pkg/api/dashboard_test.go

diff --git a/pkg/api/dashboard.go b/pkg/api/dashboard.go
index e71252e48..b3168de8e 100644
--- a/pkg/api/dashboard.go
+++ b/pkg/api/dashboard.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"net/http"
+	"net/url"
 
 	"github.com/containous/traefik/v2/pkg/log"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
@@ -23,11 +24,29 @@ func (g DashboardHandler) Append(router *mux.Router) {
 	// Expose dashboard
 	router.Methods(http.MethodGet).
 		Path("/").
-		HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
-			http.Redirect(response, request, request.Header.Get("X-Forwarded-Prefix")+"/dashboard/", http.StatusFound)
+		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)
 		})
 
 	router.Methods(http.MethodGet).
 		PathPrefix("/dashboard/").
 		Handler(http.StripPrefix("/dashboard/", http.FileServer(g.Assets)))
 }
+
+func safePrefix(req *http.Request) string {
+	prefix := req.Header.Get("X-Forwarded-Prefix")
+	if prefix == "" {
+		return ""
+	}
+
+	parse, err := url.Parse(prefix)
+	if err != nil {
+		return ""
+	}
+
+	if parse.Host != "" {
+		return ""
+	}
+
+	return parse.Path
+}
diff --git a/pkg/api/dashboard_test.go b/pkg/api/dashboard_test.go
new file mode 100644
index 000000000..c945a7000
--- /dev/null
+++ b/pkg/api/dashboard_test.go
@@ -0,0 +1,54 @@
+package api
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_safePrefix(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		value    string
+		expected string
+	}{
+		{
+			desc:     "host",
+			value:    "https://example.com",
+			expected: "",
+		},
+		{
+			desc:     "host with path",
+			value:    "https://example.com/foo/bar?test",
+			expected: "",
+		},
+		{
+			desc:     "path",
+			value:    "/foo/bar",
+			expected: "/foo/bar",
+		},
+		{
+			desc:     "path without leading slash",
+			value:    "foo/bar",
+			expected: "foo/bar",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			req, err := http.NewRequest(http.MethodGet, "http://localhost", nil)
+			require.NoError(t, err)
+
+			req.Header.Set("X-Forwarded-Prefix", test.value)
+
+			prefix := safePrefix(req)
+
+			assert.Equal(t, test.expected, prefix)
+		})
+	}
+}

From fdf2a68a111396d360da1cd420efd32825343125 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20M=C3=BCller?= <mail@stephanmueller.eu>
Date: Tue, 28 Jul 2020 17:18:03 +0200
Subject: [PATCH 3/4] doc: add name of used key for kubernetes client auth

---
 docs/content/https/tls.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md
index 40d0585b4..9b1023386 100644
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -428,6 +428,7 @@ metadata:
 
 spec:
   clientAuth:
+    # the CA certificate is extracted from key `tls.ca` of the given secrets.
     secretNames:
       - secretCA
     clientAuthType: RequireAndVerifyClientCert

From fc52d1cfba85cd48fe3055c5d82a30b6694a1e52 Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Tue, 28 Jul 2020 17:34:03 +0200
Subject: [PATCH 4/4] Prepare release v2.2.8

---
 CHANGELOG.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 585647ac7..89af253d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,13 @@
+## [v2.2.8](https://github.com/containous/traefik/tree/v2.2.8) (2020-07-28)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.7...v2.2.8)
+
+**Bug fixes:**
+- **[webui]** fix: clean X-Forwarded-Prefix header for the dashboard. ([#7109](https://github.com/containous/traefik/pull/7109) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[docker]** spelling(docs/content/routing/providers/docker.md) ([#7101](https://github.com/containous/traefik/pull/7101) by [szczot3k](https://github.com/szczot3k))
+- **[k8s]** doc: add name of used key for kubernetes client auth ([#7068](https://github.com/containous/traefik/pull/7068) by [smueller18](https://github.com/smueller18))
+
 ## [v2.2.7](https://github.com/containous/traefik/tree/v2.2.7) (2020-07-20)
 [All Commits](https://github.com/containous/traefik/compare/v2.2.6...v2.2.7)