[PATCH] Fix X-Forwarded-For with IPV6
32 views
Skip to first unread message
Boris Grozev
Apr 7, 2025, 5:29:09 PMApr 7
to proso...@googlegroups.com
This change brakes the IPv6 format used in X-Forwarded-For
https://hg.prosody.im/trunk/rev/90394be5e6a5
X-Forwarded-For doesn't use brackets, and the second regexp meant for
ipv4 kicks in:
normal_ip("2001:db8:85a3:8d3:1319:8a2e:370:7348") ---> "2001"
The first attached patch fixes it by only matching four sets of digits
separated by dots. The new behaviour:
1.12.113.24 -> 1.12.113.24
[2001:db8:85a3:8d3:1319:8a2e:370:7348] -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
2001:db8:85a3:8d3:1319:8a2e:370:7348 -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
1.12.113.24:443 -> 1.12.113.24
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443 ->
2001:db8:85a3:8d3:1319:8a2e:370:7348
The second patch I've submitted before. It ignores entries in
X-Forwarded-For when they don't parse as an IP instead of throwing an
exception and returning HTTP 500. Note with 0.12 this was only
happening when something included invalid values in the header, but
with 13 it fails when ipv6 is used with X-Forwarded-For (e.g.
cloudflare).
Regards,
Boris
https://hg.prosody.im/trunk/rev/90394be5e6a5
X-Forwarded-For doesn't use brackets, and the second regexp meant for
ipv4 kicks in:
normal_ip("2001:db8:85a3:8d3:1319:8a2e:370:7348") ---> "2001"
The first attached patch fixes it by only matching four sets of digits
separated by dots. The new behaviour:
1.12.113.24 -> 1.12.113.24
[2001:db8:85a3:8d3:1319:8a2e:370:7348] -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
2001:db8:85a3:8d3:1319:8a2e:370:7348 -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
1.12.113.24:443 -> 1.12.113.24
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443 ->
2001:db8:85a3:8d3:1319:8a2e:370:7348
The second patch I've submitted before. It ignores entries in
X-Forwarded-For when they don't parse as an IP instead of throwing an
exception and returning HTTP 500. Note with 0.12 this was only
happening when something included invalid values in the header, but
with 13 it fails when ipv6 is used with X-Forwarded-For (e.g.
cloudflare).
Regards,
Boris
Boris Grozev
Apr 8, 2025, 1:16:00 PMApr 8
to proso...@googlegroups.com
To be more clear about the end result: prosody 13.0.1 cannot be
accessed via an HTTP proxy that uses x-forwarded-for from an ipv6
address. To reproduce without setting up a proxy:
curl -v -H 'x-forwarded-for: 2605:aaaa:a0c9:c900:d8b3:aaaa:aaaa:aaaa'
0:5280/xmpp-websocket
This results in a 500 response and the following exception:
2025-04-08 17:03:09 http.server error Traceback[httpserver]:
/usr/share/lua/5.4/prosody/util/ip.lua:217: attempt to index a nil
value (local 'ipA')
stack traceback:
/usr/share/lua/5.4/prosody/util/ip.lua:217: in function
'prosody.util.ip.match'
/usr/lib/prosody/modules/mod_http.lua:345: in upvalue 'is_trusted_proxy'
/usr/lib/prosody/modules/mod_http.lua:391: in upvalue
'get_forwarded_connection_info'
/usr/lib/prosody/modules/mod_http.lua:407: in function
</usr/lib/prosody/modules/mod_http.lua:403>
The expected result is a 200. This is a regression since 0.12.5.
You get the expected result if the v6 address is encoded in the
rfc7239 format as the changeset I pointed to above intends, but the
widely used x-forwarded-for format (no brackets around v6 address) is
now broken.
Boris
accessed via an HTTP proxy that uses x-forwarded-for from an ipv6
address. To reproduce without setting up a proxy:
curl -v -H 'x-forwarded-for: 2605:aaaa:a0c9:c900:d8b3:aaaa:aaaa:aaaa'
0:5280/xmpp-websocket
This results in a 500 response and the following exception:
2025-04-08 17:03:09 http.server error Traceback[httpserver]:
/usr/share/lua/5.4/prosody/util/ip.lua:217: attempt to index a nil
value (local 'ipA')
stack traceback:
/usr/share/lua/5.4/prosody/util/ip.lua:217: in function
'prosody.util.ip.match'
/usr/lib/prosody/modules/mod_http.lua:345: in upvalue 'is_trusted_proxy'
/usr/lib/prosody/modules/mod_http.lua:391: in upvalue
'get_forwarded_connection_info'
/usr/lib/prosody/modules/mod_http.lua:407: in function
</usr/lib/prosody/modules/mod_http.lua:403>
The expected result is a 200. This is a regression since 0.12.5.
You get the expected result if the v6 address is encoded in the
rfc7239 format as the changeset I pointed to above intends, but the
widely used x-forwarded-for format (no brackets around v6 address) is
now broken.
Boris
Kim Alvefur
Apr 9, 2025, 5:55:32 PMApr 9
to proso...@googlegroups.com
Hello Boris,
Thanks for the patches. I tweaked them a bit and pushed these commits:
- https://hg.prosody.im/trunk/rev/61df1404dd7a
- https://hg.prosody.im/trunk/rev/a4b58ea5bf7b
I couldn't reproduce the error however, so I hope it went away.
Also not entirely sure that it's a good idea to log a warning for
malformed potentially user-submitted data, as X-Forwarded-For may be
depending on how the proxy is configured.
--
Regards,
Zash
Thanks for the patches. I tweaked them a bit and pushed these commits:
- https://hg.prosody.im/trunk/rev/61df1404dd7a
- https://hg.prosody.im/trunk/rev/a4b58ea5bf7b
I couldn't reproduce the error however, so I hope it went away.
Also not entirely sure that it's a good idea to log a warning for
malformed potentially user-submitted data, as X-Forwarded-For may be
depending on how the proxy is configured.
--
Regards,
Zash
Boris Grozev
Apr 10, 2025, 11:09:12 AMApr 10
to proso...@googlegroups.com
Thanks, Zash!
I confirm your changes resolve both problems for us. I don't think the
logs are necessary, my main goal was to avoid printing the entire
stack trace.
I'm surprised you couldn't reproduce the error, it happens consistently for me.
Boris
> --
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/prosody-dev/Z_bszL3j-70Wy7E-%40diploria.zash.se.
I confirm your changes resolve both problems for us. I don't think the
logs are necessary, my main goal was to avoid printing the entire
stack trace.
I'm surprised you couldn't reproduce the error, it happens consistently for me.
Boris
> You received this message because you are subscribed to the Google Groups "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/prosody-dev/Z_bszL3j-70Wy7E-%40diploria.zash.se.
Reply all
Reply to author
Forward
0 new messages