This repository has been archived by the owner on Feb 22, 2024. It is now read-only.
Use ProxyFix instead of inspecting X-Forwarded-For header #542
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lnielsen
force-pushed
the
feature-xforwardedfor-removal
branch
from
bfcb8ab
to
0676c29
Compare
|
Coverage decreased (-0.009%) to 94.274% when pulling bfcb8ab8d59033dc40a072f12394c380d00338b0 on lnielsen:feature-xforwardedfor-removal into 9e5865d on mattupstate:develop. |
1 similar comment
|
PyPy build is failing probably due to latest peewee release (2.8.2 release on Aug 9) |
|
This is great. Thanks for this. Are you able to rebase off of develop and get the build passing? |
Changes trackable feature to always rely on having a correctly set IP address in request.remote_addr via e.g. Werkzeug's ProxyFix instead of inspecting X-Forwarded-For headers (in which the current implementation doesn't take multiple trusted proxies into account).
lnielsen
force-pushed
the
feature-xforwardedfor-removal
branch
from
0676c29
to
8ea7e50
Compare
boydgreenfield
added a commit
to onecodex/flask-security
that referenced
this pull request
Mar 29, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR #352 fixed a security issue in extracting a correct remote IP address from
X-Forwarded-Forheader.The fix however doesn't take multiple trusted proxies into account, which you typically have in a load balanced setup (e.g. HAProxy + Nginx). The problem is located here, and can quickly be demonstrated with this example where it's always the last address in
X-Forwarded-Forbeing chosen:The problem with the current code is that if you use ProxyFix to set a correct IP address in
request.remote_addr, then Flask-Security doesn't pick it up because X-Forwarded-For headers are inspected first. The workaround so far, is in addition to ProxyFix to use HeaderRewriterFix to remove the X-Forwarded-For headers completely from the request.Proposal
IMHO, Flask-Security (and any other Flask extension for that matter) should rely solely on
request.remote_addrto get the client IP address, and only document that you should use ProxyFix in order to ensure thatremote_addris set correctly (already done in Flask-Security).