Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discards optional port information from X-Forwarded-For header's IP parsing #1251

Merged
merged 1 commit into from
Apr 15, 2018
Merged

Discards optional port information from X-Forwarded-For header's IP parsing #1251

merged 1 commit into from
Apr 15, 2018

Conversation

dpritchett
Copy link
Contributor

@dpritchett dpritchett commented Apr 15, 2018
edited
Loading

Tests and documents the work from #1229 which should close #1227.

RFC 7239 describes an optional port specification in X-Forwarded-For that is apparently implemented in Microsoft Azure Application Gateway.

The relevant examples from the RFC are in section 6:

             "192.0.2.43:47011"
             "[2001:db8:cafe::17]:47011"

This PR attempts to gently discard the port information from X-Forwarded-For.

Should also close #1229.

@dpritchett
Copy link
Contributor Author

@tenderlove hopefully you can squash this into master; I can rebase and repush if it helps.

Thanks!

image

@dpritchett dpritchett force-pushed the djp/x-forwarded-for-with-ports branch 4 times, most recently from 0a5958d to ce7f9e1 Compare April 15, 2018 01:32
@dpritchett
Copy link
Contributor Author

Please don't merge me yet - I've found a busted merge in trying to preserve @wuhanyumsft's earlier PR.

@dpritchett dpritchett force-pushed the djp/x-forwarded-for-with-ports branch 2 times, most recently from e64a43b to e9eae8b Compare April 15, 2018 01:41
@dpritchett
Copy link
Contributor Author

Ok it's clean again, but I lost the @wuhanyumsft diff 😢

@dpritchett dpritchett force-pushed the djp/x-forwarded-for-with-ports branch from e9eae8b to a3dbe54 Compare April 15, 2018 01:43
@tenderlove
Copy link
Member

Great! Thank you!

@tenderlove tenderlove merged commit d8d6881 into rack:master Apr 15, 2018
@dpritchett dpritchett deleted the djp/x-forwarded-for-with-ports branch April 15, 2018 22:15
@mikegee mikegee mentioned this pull request Dec 17, 2018
Closed
eileencodes pushed a commit to eileencodes/rack that referenced this pull request Apr 16, 2019
@tenderlove @eileencodes
Merge pull request rack#1251 from dpritchett/djp/x-forwarded-for-with…
7889b0b 
…-ports

Discards optional port information from X-Forwarded-For header's IP parsing
@duncanjbrown duncanjbrown mentioned this pull request Apr 30, 2020
Closed
@duncanjbrown duncanjbrown mentioned this pull request May 3, 2020
Merged
duncanjbrown added a commit to duncanjbrown/rails that referenced this pull request May 5, 2020
@duncanjbrown
Don’t ignore X-Forwarded-For IPs with ports attached
c2077c8 
Rack decided to tolerate proxies which choose to attach ports to
X-Forwarded-For IPs by stripping the port:
rack/rack#1251. Attaching a port is rare in the
wild but some proxies (notably Microsoft Azure's App Service) do it.

Without this patch, remote_ip will ignore X-Forwarded-For IPs with ports
attached and the return value is less likely to be useful.

Rails should do the same thing. The stripping logic is already available
in Rack::Request::Helpers, so change the X-Forwarded-For retrieval
method from ActionDispatch::Request#x_forwarded_for (which returns the
raw header) to #forwarded_for, which returns a stripped array of IP
addresses, or nil. There may be other benefits hiding in Rack's
implementation.

We can't call ips_from with an array (and legislating for that inside
ips_from doesn't appeal), so refactor out the bit we need to apply in
both cases (verifying the IP is acceptable to IPAddr and that it's not a
range) to a separate method called #sanitize_ips which reduces an array of
maybe-ips to an array of acceptable ones.
georgeclaghorn pushed a commit to rails/rails that referenced this pull request May 10, 2020
@duncanjbrown
Don’t ignore X-Forwarded-For IPs with ports attached
fbf1d82 
Rack decided to tolerate proxies which choose to attach ports to
X-Forwarded-For IPs by stripping the port:
rack/rack#1251. Attaching a port is rare in the
wild but some proxies (notably Microsoft Azure's App Service) do it.

Without this patch, remote_ip will ignore X-Forwarded-For IPs with ports
attached and the return value is less likely to be useful.

Rails should do the same thing. The stripping logic is already available
in Rack::Request::Helpers, so change the X-Forwarded-For retrieval
method from ActionDispatch::Request#x_forwarded_for (which returns the
raw header) to #forwarded_for, which returns a stripped array of IP
addresses, or nil. There may be other benefits hiding in Rack's
implementation.

We can't call ips_from with an array (and legislating for that inside
ips_from doesn't appeal), so refactor out the bit we need to apply in
both cases (verifying the IP is acceptable to IPAddr and that it's not a
range) to a separate method called #sanitize_ips which reduces an array of
maybe-ips to an array of acceptable ones.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

X-forwarded-for with ports information in Azure
2 participants
@dpritchett @tenderlove