Only read X-Forwarded-* if remote address is loopback

This commit is contained in:
Simon Ser 2020-06-29 18:33:23 +02:00
parent 2c172fa8ca
commit a9887114d5
No known key found for this signature in database
GPG Key ID: 0FDE7BE0E88F5E48

View File

@ -151,11 +151,22 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
s.Logger.Printf("failed to serve HTTP connection: %v", err)
return
}
isLoopback := false
if host, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
if ip := net.ParseIP(host); ip != nil {
isLoopback = ip.IsLoopback()
}
}
// Only trust X-Forwarded-* header fields if this is a loopback connection,
// to prevent users from spoofing the remote address
remoteAddr := req.RemoteAddr
forwardedHost := req.Header.Get("X-Forwarded-For")
forwardedPort := req.Header.Get("X-Forwarded-Port")
if forwardedHost != "" && forwardedPort != "" {
if isLoopback && forwardedHost != "" && forwardedPort != "" {
remoteAddr = net.JoinHostPort(forwardedHost, forwardedPort)
}
s.handle(newWebsocketIRCConn(conn), remoteAddr)
}