Changeset - f08fbf424898
[Not reviewed]
default
0 1 0
Mads Kiilerich (kiilerix) - 4 years ago 2021-05-09 20:32:51
mads@kiilerich.com
Grafted from: ab3885a410f1
auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header

The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .

Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.

Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)
1 file changed with 7 insertions and 5 deletions:
0 comments (0 inline, 0 general) First comment
kallithea/controllers/base.py
Show inline comments
 
@@ -64,15 +64,17 @@ def render(template_path):
 

	
 
def _filter_proxy(ip):
 
    """
 
    HEADERS can have multiple ips inside the left-most being the original
 
    client, and each successive proxy that passed the request adding the IP
 
    address where it received the request from.
 
    HTTP_X_FORWARDED_FOR headers can have multiple IP addresses, with the
 
    leftmost being the original client. Each proxy that is forwarding the
 
    request will usually add the IP address it sees the request coming from.
 

	
 
    :param ip:
 
    The client might have provided a fake leftmost value before hitting the
 
    first proxy, so if we have a proxy that is adding one IP address, we can
 
    only trust the rightmost address.
 
    """
 
    if ',' in ip:
 
        _ips = ip.split(',')
 
        _first_ip = _ips[0].strip()
 
        _first_ip = _ips[-1].strip()
 
        log.debug('Got multiple IPs %s, using %s', ','.join(_ips), _first_ip)
 
        return _first_ip
 
    return ip
0 comments (0 inline, 0 general) First comment
You need to be logged in to comment. Login now