This repository has been archived by the owner on Feb 22, 2024. It is now read-only.
Use ProxyFix instead of inspecting X-Forwarded-For header #542
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR #352 fixed a security issue in extracting a correct remote IP address from
X-Forwarded-For
header.The fix however doesn't take multiple trusted proxies into account, which you typically have in a load balanced setup (e.g. HAProxy + Nginx). The problem is located here, and can quickly be demonstrated with this example where it's always the last address in
X-Forwarded-For
being chosen:The problem with the current code is that if you use ProxyFix to set a correct IP address in
request.remote_addr
, then Flask-Security doesn't pick it up because X-Forwarded-For headers are inspected first. The workaround so far, is in addition to ProxyFix to use HeaderRewriterFix to remove the X-Forwarded-For headers completely from the request.Proposal
IMHO, Flask-Security (and any other Flask extension for that matter) should rely solely on
request.remote_addr
to get the client IP address, and only document that you should use ProxyFix in order to ensure thatremote_addr
is set correctly (already done in Flask-Security).