-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support RFC 7239: HTTP Forwarded header #1423
Conversation
4a6d7f7
to
347f786
Compare
This looks good, can you check failing tests? |
Yes, I have checked that. Works on my machine with that ruby version and test seed. Can you trigger rebuild just in case? After that will look more closely. |
Co-authored-by: Matt Bostock <matt@mattbostock.com>
347f786
to
1a6203c
Compare
One issue with supporting To be safe, if both headers are present, we should only use @tenderlove, @ioquatix Does my analysis here make sense? If so, what are your thoughts on my recommended approach? Other than that issue, I reviewed this and I'm OK with the changes. The conflict is only due to documentation I added recently, and easily resolved. There are some unrelated changes that would better have been submitted in separate PRs, but I don't think would cause us not to merge this once the security issue is addressed. |
@jeremyevans I don't see what support the server implementation would need to have -- its opinions are in Perhaps, as it's a relatively new header in the real world, it wouldn't be unreasonable for us to declare that an upstream that sets * ... unless we can trust all reverse proxies to swallow an incoming |
@matthewd I think you are correct. This probably cannot be handled by SPEC since it isn't handled by the server itself. Still, we should probably do something to prevent a security issue being introduced. If we assume that proxies that support
|
@jeremyevans can you assign this to a milestone, either 2.2 or 3.0 depending on what you think makes the most sense? If servers need to be on board with the change, I'd say 3.0 wouldn't be a mistake. |
if forwarded = get_header(HTTP_X_FORWARDED_HOST) | ||
if forwarded = get_http_forwarded(:host) | ||
forwarded.last | ||
elsif forwarded = get_header(HTTP_X_FORWARDED_HOST) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible that get_header(HTTP_X_FORWARDED_HOST) == ''
in some cases. For instance:
curl http://example.com -H 'X_FORWARDED_HOST;' -H 'HOST: example.com'
or
telnet example.com 80
Trying 127.0.0.1...
Connected to example.com.
Escape character is '^]'.
GET / HTTP/1.0
HOST: example.com
X_FORWARDED_HOST:
@fatkodima do you mind rebasing on master? |
@ioquatix I'm sorry, I'm no longer in the context. Feel free to do with this PR whatever you want. |
The Request.forwarded_priority accessor sets the priority. Default to considering Forwarded first, since it is now the official standard. Also allow configuring whether X-Forwarded-Proto or X-Forwarded-Scheme has priority, using the Request.x_forwarded_proto_priority accessor. Allowing configurable priorities for these headers is necessary, because which headers should be checked depends on the environment the application runs in. Make Request#forwarded_authority use the last forwarded authority instead of the first forwarded authority, since earlier forwarded authorities can be forged by the client. Fixes rack#1809 Fixes rack#1829 Implements rack#1423 Implements rack#1832
@jeremyevans has created a new PR for this feature/functionality. |
The Request.forwarded_priority accessor sets the priority. Default to considering Forwarded first, since it is now the official standard. Also allow configuring whether X-Forwarded-Proto or X-Forwarded-Scheme has priority, using the Request.x_forwarded_proto_priority accessor. Allowing configurable priorities for these headers is necessary, because which headers should be checked depends on the environment the application runs in. Make Request#forwarded_authority use the last forwarded authority instead of the first forwarded authority, since earlier forwarded authorities can be forged by the client. Fixes #1809 Fixes #1829 Implements #1423 Implements #1832
This is an updated version of #1017 with addressed Jeremy's comments and slightly changed implementation, but the logic remains the same as described in original PR description.
@ioquatix
Closes #1017
Closes #1310