Enclose IPv6 address in X-Forwarded-Host in brackets #1213
Conversation
Prevent Rack::Request#host from stripping off last hextet of IPv6 address in X-Forwarded-Host returned by Rack::Request#host_with_port by enclosing the address in brackets. IPv6 addresses in the HTTP_HOST, SERVER_NAME, and SERVER_ADDR CGI variables will (should) always be enclosed in brackets.
Indeed. And X-Forwarded-Host is a forwarded value for HTTP_HOST. This sounds rather more like a hack around an upstream misconfiguration than a necessary correction to me. Could you give some more detail on how you came to encounter such a value? |
|
Yes, and the best reverse proxies I've seen don't even use the X-Forwarded-Host header, they just pass the Host value along. RFC 7239 says that IPv6 addresses in this header should be enclosed in square brackets. I haven't seen it it in the wild in person, just in forum posts and the like, so this may be a case of overly-defensive programming. I agree that if the reverse proxy is sending an invalid value, it should be fixed there. It's just such a subtle, silent issue—and the X- headers seem to be especially prone to errors and misconfiguration—that a guard here makes sense to me. Take it or leave it! |
|
Take a look at this, there's quite a lot of sketchy IPv6 support in ruby's core libs. |
|
RFC 7239 Section 7.4: So I think we should handle this for Could you please rebase against master? |
|
This makes perfect sense to me, thanks for the specs. I'll merge it. |
|
I reviewed the PR and it looks like we recently merged #1538 which prefered the non-square-brackets representation. However, this has not been released yet. So we could adjust it. Based on the defintion of |
Prevent Rack::Request#host from stripping off the last hextet of an IPv6 address contained in X-Forwarded-Host (and returned by Rack::Request#host_with_port) by enclosing the address in brackets.
IPv6 addresses in the HTTP_HOST, SERVER_NAME, and SERVER_ADDR CGI variables will (should) always be enclosed in brackets.