Security issue: Trusted Reverse Proxy and X-Forwarded-* headers #4589
Comments
flycash
added
help-wanted
|
This issue is inactive for a long time. |
|
This feature is not patched even in the current version. A typical example is the following blog post. To solve this problem, as mentioned by @4n70w4, you need to add the TrustedProxy function or trust the X-Forwarded-For header only for A number of reverse proxies running in front of the backend. If you're not thinking of doing all this, I think there should be decent documentation mentioning the problem with this.Ctx.Input.IP(). Thank you for running a great project. 😎 |
Hi!
Now anyone can submit headers
X-Forwarded-ProtoandX-Forwarded-Forfor replace return values ofthis.Ctx.Input.Scheme()andthis.Ctx.Input.IP(). There is no verification of the legitimacy of the value substitution. This can affect sensitive functionality and deceive the system.Trusted Proxies — whitelist for describe ip's of reverse proxies on requests from which it is allowed to take values from
X-Forwarded-*headers. If the request is not from a trusted proxy,X-Forwarded-*headers are ignored.https://symfony.com/doc/3.2/components/http_foundation/trusting_proxies.html
https://github.com/fideloper/TrustedProxy
Examples:
If request ip in Trusted Proxies whitelist then:
this.Ctx.Input.Scheme()get value fromX-Forwarded-Protoheaderthis.Ctx.Input.IP()get value fromX-Forwarded-Forheaderthis.Ctx.Input.Host()get value fromX-Forwarded-HostheaderBut if request ip NOT in Trusted Proxies whitelist then:
this.Ctx.Input.Scheme()DON'T get value fromX-Forwarded-Protoheaderthis.Ctx.Input.IP()DON'T get value fromX-Forwarded-Forheaderthis.Ctx.Input.Host()DON'T get value fromX-Forwarded-HostheaderThe text was updated successfully, but these errors were encountered: