Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove X-Forwarded-Uri and X-Forwarded-Method from untrusted IP #4036

Merged
merged 1 commit into from
Nov 12, 2018
Merged

Remove X-Forwarded-Uri and X-Forwarded-Method from untrusted IP #4036

merged 1 commit into from
Nov 12, 2018
+34 −12

Conversation

stffabi
Copy link
Contributor

@stffabi stffabi commented Oct 13, 2018

What does this PR do?

Remove X-Forwarded-Uri and X-Forwarded-Method headers if a request
comes from an untrusted IP.

Motivation

Failing to do so would result in an inconsistent and insecure behaviour
for the forward authentication. If TrustForwardHeader is active in the
forward auth, the auth endpoint receives these two headers if they
have been sent from an untrusted IP. Whereas other X-Forward headers
have been removed in the request and are safe to use in the auth
endpoint.

More

  • Added/updated tests
  • Added/updated documentation

Additional Notes

@traefiker traefiker added this to the 1.7 milestone Oct 13, 2018
@stffabi
Copy link
Contributor Author

stffabi commented Oct 15, 2018

I've fixed the bug by just removing the additional headers before letting oxy/forward remove the other ones. I wanted to have a small changeset for 1.7, for the master the fix could easily be added in forwarded_header.go, which should make it more elegant as all forwarded headers are removed at the same place.

jbdoumenjou
jbdoumenjou approved these changes Oct 29, 2018
View reviewed changes
Copy link
Member

@jbdoumenjou jbdoumenjou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ldez
ldez suggested changes Nov 7, 2018
View reviewed changes
server/header_rewriter.go Outdated Show resolved Hide resolved
ldez
ldez approved these changes Nov 8, 2018
View reviewed changes
Copy link
Contributor

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mmatur
mmatur approved these changes Nov 12, 2018
View reviewed changes
Copy link
Member

@mmatur mmatur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stffabi @traefiker
Remove X-Forwarded-Uri and X-Forwarded-Method headers if a request
bc6021f 
comes from an untrusted ip.

Failing to do so would result in an inconsistent and insecure behaviour
for the forward authentication. If TrustForwardHeader is active in the
forward auth, the auth endpoint receives these two headers if they
have been sent from an untrusted ip. Whereas other X-Forward headers
have been removed in the request and are safe to use in the auth
endpoint.
@traefiker traefiker merged commit b889b01 into traefik:v1.7 Nov 12, 2018
@stffabi stffabi deleted the remove-auth-forwarded-headers branch November 12, 2018 23:13
@ldez ldez mentioned this pull request Nov 19, 2018
Merged
17 tasks
@ldez ldez mentioned this pull request Dec 5, 2018
Merged
5 tasks
@stffabi stffabi mentioned this pull request Jun 25, 2019
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldez ldez ldez approved these changes

@mmatur mmatur mmatur approved these changes

@jbdoumenjou jbdoumenjou jbdoumenjou approved these changes

Assignees
No one assigned
Labels
area/authentication area/middleware kind/bug/fix a bug fix size/S
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
6 participants
@stffabi @jbdoumenjou @mmatur @ldez @geraldcroes @traefiker