Only read X-Forwarded-* if remote address is loopback
This commit is contained in:
parent
2c172fa8ca
commit
a9887114d5
13
server.go
13
server.go
@ -151,11 +151,22 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|||||||
s.Logger.Printf("failed to serve HTTP connection: %v", err)
|
s.Logger.Printf("failed to serve HTTP connection: %v", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
isLoopback := false
|
||||||
|
if host, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
|
||||||
|
if ip := net.ParseIP(host); ip != nil {
|
||||||
|
isLoopback = ip.IsLoopback()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Only trust X-Forwarded-* header fields if this is a loopback connection,
|
||||||
|
// to prevent users from spoofing the remote address
|
||||||
remoteAddr := req.RemoteAddr
|
remoteAddr := req.RemoteAddr
|
||||||
forwardedHost := req.Header.Get("X-Forwarded-For")
|
forwardedHost := req.Header.Get("X-Forwarded-For")
|
||||||
forwardedPort := req.Header.Get("X-Forwarded-Port")
|
forwardedPort := req.Header.Get("X-Forwarded-Port")
|
||||||
if forwardedHost != "" && forwardedPort != "" {
|
if isLoopback && forwardedHost != "" && forwardedPort != "" {
|
||||||
remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
|
remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
|
||||||
}
|
}
|
||||||
|
|
||||||
s.handle(newWebsocketIRCConn(conn), remoteAddr)
|
s.handle(newWebsocketIRCConn(conn), remoteAddr)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user