Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ForwardedHeaderFilter should support case insensitive header name [SPR-14372] #18945

Closed
spring-projects-issues opened this issue Jun 16, 2016 · 3 comments
Assignees
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jun 16, 2016

Thibaud Lepretre opened SPR-14372 and commented

Since 4.3.0.RELEASE Spring offers a new filter ForwardedHeaderFilter to handle X-Forwarded-* headers (#18192).

However method shouldNotFilter is case sensitive comparaison

@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
	Enumeration<String> headerNames = request.getHeaderNames();
	while (headerNames.hasMoreElements()) {
		String name = headerNames.nextElement();
		if (FORWARDED_HEADER_NAMES.contains(name)) {
			return false;
		}
	}
	return true;
}

Where RFC7230 - 3.2 Header Fields

Each header field consists of a case-insensitive field name followed by a colon (":")

Regardless RFC7230, NGinX configuration like

proxy_set_header X-Forwarded-Hostname $http_host;

Even with correct case will be transformed and container will received x-forwarded-hostname


Affects: 4.3 GA

Reference URL: https://github.com/kakawait/spr-14372

Issue Links:

  • #18949 ForwardedHeaderFilter should support cases where contextPath should not be replaced with X-Forwarded-Prefix

Referenced from: commits 919f6c9

1 votes, 2 watchers

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 16, 2016

Thibaud Lepretre commented

I just created a sample to reproduce (you need docker)

https://github.com/kakawait/spr-14372

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 16, 2016

Thibaud Lepretre commented

Quick&Dirty by-pass

private static class ForwardedHeaderFilter extends org.springframework.web.filter.ForwardedHeaderFilter {
    private static final Set<String> FORWARDED_HEADER_NAMES;

    static {
        FORWARDED_HEADER_NAMES = new HashSet<>(5);
        FORWARDED_HEADER_NAMES.add("forwarded");
        FORWARDED_HEADER_NAMES.add("x-forwarded-host");
        FORWARDED_HEADER_NAMES.add("x-forwarded-port");
        FORWARDED_HEADER_NAMES.add("x-forwarded-proto");
        FORWARDED_HEADER_NAMES.add("x-forwarded-prefix");
    }

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
        Enumeration<String> headerNames = request.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String name = headerNames.nextElement();
            if (FORWARDED_HEADER_NAMES.contains(name.toLowerCase())) {
                return false;
            }
        }
        return true;
    }
}
@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 17, 2016

Rossen Stoyanchev commented

The fix was a little more involved. Besides the Filter-level check, there are a couple more places (getting the X-Forwarded-Prefix) and masking the X-Forwarded-* headers.

It should be fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants