Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Forwarded header in Rack::Protection::IPSpoofing #2011

Open
dentarg opened this issue May 29, 2024 · 1 comment
Open

Support Forwarded header in Rack::Protection::IPSpoofing #2011

dentarg opened this issue May 29, 2024 · 1 comment
Assignees
@dentarg
Labels
feature

Comments

@dentarg
Copy link
Member

dentarg commented May 29, 2024
edited
Loading

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded

Since Rack 3 (rack/rack#1834) the Forwarded is supported (and preferred).

Sinatra does not make use of this:

sinatra/lib/sinatra/base.rb

Lines 63 to 65 in 5640495

def forwarded?
@env.include? 'HTTP_X_FORWARDED_HOST'
end

Which one to prefer should probably be exposed to the end-user.
@dentarg
Copy link
Member Author

dentarg commented May 29, 2024

Here too

sinatra/rack-protection/lib/rack/protection/ip_spoofing.rb

Lines 16 to 24 in 5640495

def accepts?(env)
return true unless env.include? 'HTTP_X_FORWARDED_FOR'
ips = env['HTTP_X_FORWARDED_FOR'].split(',').map(&:strip)
return false if env.include?('HTTP_CLIENT_IP') && (!ips.include? env['HTTP_CLIENT_IP'])
return false if env.include?('HTTP_X_REAL_IP') && (!ips.include? env['HTTP_X_REAL_IP'])
true
end

@malikparvez malikparvez mentioned this issue Jul 14, 2024
Open
@dentarg dentarg self-assigned this Nov 11, 2024
@dentarg dentarg changed the title Support Forwarded header Support Forwarded header in Rack::Protection::IPSpoofing Nov 12, 2024
dentarg added a commit to dentarg/sinatra that referenced this issue Nov 12, 2024
@dentarg
Support Forwarded header in #forwarded?
4652ad2 
Related to sinatra#2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dentarg dentarg

Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dentarg