Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Insecure algorithm for determining remote/scheme/host #2171
Long story short
(I’m reporting this in the open rather than privately, because
This involves the headers
The same applies to the headers
aiohttp takes the first element from
In most deployments where aiohttp sits behind nginx, the
In fact, it’s impossible to configure current versions of nginx to correctly append a
But even if aiohttp was sitting behind a proxy that correctly controlled all of the involved headers, nothing would change, because the proxy would append a comma-separated element to the remote user’s
Steps to reproduce
Run this server program:
behind nginx with the following configuration (derived from the example):
and send requests to it with curl:
aiohttp Git master, Python 3.5, Linux
For example, see Gunicorn’s
People will reimplement
I like idea of additional opt-in application parameters for configuring corresponding header.
@asvetlov The parameter could combine headers and indices, like this:
I've decided to drop headers lookup for mentioned properties at all but support
added a commit
Oct 1, 2017
@asvetlov I am a huge fan of the work you do, but this is the second time in the span of a week and half where you have introduced a breaking change in a minor version (first yarl, now aiohttp). The yarl issue affected us while doing a deployment which brought down our production environment. This time, we at noticed the issue in a testing environment (luckily), when as a direct response to the yarl issue, we upgraded to the latest version of aiohttp.
We host clusters of aiohttp services behind Amazon ALBs, which redirect all traffic internally via HTTP, not HTTPS. We use the scheme to determine which protocol was used to send URLs back to clients. This is important when running in dev environments vs. production. We do not support HTTP in production, which is where this becomes breaking. Checking the scheme in prod now returns URLs prefixed with HTTP scheme, instead of HTTPS.
While it's not a big issue for us to adapt to, breaking changes should not be introduced in minor versions. Therefore we don't go digging through change logs to see what we need to change when performing a minor upgrade.
I reiterate, I love the work you do and am super thankful for everything you have provided to the Python community. But please please please be careful with versioning!
I hope you understand,
@thomaspsk thank you for feedback.
We have created https://github.com/wikibusiness/aiohttp-remotes for helping users to respect headers like
For your case the closest (but not secure) way is adding a middleware:
The library will be moved into aio-libs organization just after writing documentation.
Sorry for caused inconvenience.