Security issue: Trusted Reverse Proxy and X-Forwarded-* headers #4589
Labels
help-wanted
We need someone help to resolve this issue
inactive-issue
kind/enhancement
status/accepted
Hi!
Now anyone can submit headers
X-Forwarded-Proto
andX-Forwarded-For
for replace return values ofthis.Ctx.Input.Scheme()
andthis.Ctx.Input.IP()
. There is no verification of the legitimacy of the value substitution. This can affect sensitive functionality and deceive the system.Trusted Proxies — whitelist for describe ip's of reverse proxies on requests from which it is allowed to take values from
X-Forwarded-*
headers. If the request is not from a trusted proxy,X-Forwarded-*
headers are ignored.https://symfony.com/doc/3.2/components/http_foundation/trusting_proxies.html
https://github.com/fideloper/TrustedProxy
Examples:
If request ip in Trusted Proxies whitelist then:
this.Ctx.Input.Scheme()
get value fromX-Forwarded-Proto
headerthis.Ctx.Input.IP()
get value fromX-Forwarded-For
headerthis.Ctx.Input.Host()
get value fromX-Forwarded-Host
headerBut if request ip NOT in Trusted Proxies whitelist then:
this.Ctx.Input.Scheme()
DON'T get value fromX-Forwarded-Proto
headerthis.Ctx.Input.IP()
DON'T get value fromX-Forwarded-For
headerthis.Ctx.Input.Host()
DON'T get value fromX-Forwarded-Host
headerThe text was updated successfully, but these errors were encountered: