Context Navigation

Changeset 345 in code for trunk/server.go

Timestamp:

Jun 29, 2020, 4:33:23 PM (5 years ago)

Author:

contact

Message:

Only read X-Forwarded-* if remote address is loopback

File:

-              r344
+              r345
                 return
+        }
+        isLoopback := false
+        if host, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+                if ip := net.ParseIP(host); ip != nil {
+                        isLoopback = ip.IsLoopback()
+                }
+        }
+        // Only trust X-Forwarded-* header fields if this is a loopback connection,
+        // to prevent users from spoofing the remote address
         remoteAddr := req.RemoteAddr
         forwardedHost := req.Header.Get("X-Forwarded-For")
         forwardedPort := req.Header.Get("X-Forwarded-Port")
         if forwardedHost != "" && forwardedPort != "" {
+        if isLoopback && forwardedHost != "" && forwardedPort != "" {
                 remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
+        }
         s.handle(newWebsocketIRCConn(conn), remoteAddr)
+}

Note: See TracChangeset for help on using the changeset viewer.