Changeset 474 in code for trunk/server.go


Ignore:
Timestamp:
Mar 18, 2021, 12:28:46 PM (4 years ago)
Author:
contact
Message:

Stop reading X-Forwarded-Port

X-Forwarded-Port contains the destination port, not the source port,
so it isn't useful for our purposes.

Move parsing of X-Forwarded-* header fields to parseForwarded.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/server.go

    r473 r474  
    213213        }
    214214
    215         // Only trust X-Forwarded-* header fields if this is a trusted proxy IP
     215        // Only trust the Forwarded header field if this is a trusted proxy IP
    216216        // to prevent users from spoofing the remote address
    217217        remoteAddr := req.RemoteAddr
    218218        if isProxy {
    219219                forwarded := parseForwarded(req.Header)
    220                 forwardedHost := req.Header.Get("X-Forwarded-For")
    221                 forwardedPort := req.Header.Get("X-Forwarded-Port")
    222220                if forwarded["for"] != "" {
    223221                        remoteAddr = forwarded["for"]
    224                 } else if forwardedHost != "" && forwardedPort != "" {
    225                         remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
    226222                }
    227223        }
     
    233229        forwarded := h.Get("Forwarded")
    234230        if forwarded == "" {
    235                 return nil
     231                return map[string]string{
     232                        "for":   h.Get("X-Forwarded-For"),
     233                        "proto": h.Get("X-Forwarded-Proto"),
     234                        "host":  h.Get("X-Forwarded-Host"),
     235                }
    236236        }
    237237        // Hack to easily parse header parameters
Note: See TracChangeset for help on using the changeset viewer.