Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPv6 + Origin header + X-Forwarded-Host header gives NumberFormatException (Safari10 / CORS) [SPR-14761] #19327

Closed
spring-projects-issues opened this issue Sep 28, 2016 · 5 comments

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Sep 28, 2016

Jaap opened SPR-14761 and commented

When an IPv6-only client connects to our WebApp which uses Spring 4.3.2

And the browser sends an Origin header (Safari 10 does this under certain circumstances)

And the LoadBalancer/Reverse Proxy adds an X-Forwarded-Host header (with the IPv6 address)

Then you get a java.lang.NumberFormatException: For input string: "a51:0:920::30:20"
at org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(UriComponentsBuilder.java:691)

It appears that this CORS code is IPv4 only?


Referenced from: commits 3064527, ea5ff87, 8751c99

Backported to: 4.2.9

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 28, 2016

Brian Clozel commented

Can you produce the exact HTTP request headers please?

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Sep 28, 2016

Jaap commented

Headers:

POST /my/path/name HTTP/1.1
Host: mydomain.com
Content-Type: application/x-www-form-urlencoded
Origin: https://mydomain.com
Cookie: SESSION=a7a75231-bbab-1234-bc78-24ac
Content-Length: 110
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)
AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50
Referer: https://mydomain.com/sub/path/login
Accept-Language: en-us
Accept-Encoding: gzip, deflate
X-Forwarded-Host: 9ba5:a51:0:123::12
X-Forwarded-Proto: https
X-Forwarded-For: 9ba5:a51:0:1:9acb:5adc:9fff:123e
Connection: close

Headers injected with this Firefox plugin: https://addons.mozilla.org/nl/firefox/addon/header-tool/ (for testing).

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Oct 6, 2016

Brian Clozel commented

Thanks for the details.

Note that your issue you're encountering is about X-Forwarded-Host, as the code you're pointing out does not read the X-Forwarded-For request header.

Just one question, it seems that IPv6 addresses as host values should always be like this:

[2001:db8:cafe::17]:4711

or

[2001:db8:cafe::17]

This is done in order to differentiate IP and port (see rfc3986 Section 3.2.2).
In other words, it seems the spec says that your example should be

X-Forwarded-Host: [9ba5:a51:0:123::12]

Did you craft that previous example by hand or is this a real request sent by your browser (i.e. not altered by the browser extension)?

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Oct 10, 2016

Jaap commented

That is the real (wrong) header set by our it guys in the HAProxy rules.
We are currently fixing that.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Oct 10, 2016

Brian Clozel commented

With that change and the patch applied to Spring (available in 4.2.9.BUILD-SNAPSHOT, 4.3.4.BUILD-SNAPSHOT and 5.0.0.BUILD-SNAPSHOT), those exceptions should disappear.

Thanks for letting me know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants