New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enclose IPv6 address in X-Forwarded-Host in brackets #1213
Conversation
Prevent Rack::Request#host from stripping off last hextet of IPv6 address in X-Forwarded-Host returned by Rack::Request#host_with_port by enclosing the address in brackets. IPv6 addresses in the HTTP_HOST, SERVER_NAME, and SERVER_ADDR CGI variables will (should) always be enclosed in brackets.
Indeed. And X-Forwarded-Host is a forwarded value for HTTP_HOST. This sounds rather more like a hack around an upstream misconfiguration than a necessary correction to me. Could you give some more detail on how you came to encounter such a value? |
Yes, and the best reverse proxies I've seen don't even use the X-Forwarded-Host header, they just pass the Host value along. RFC 7239 says that IPv6 addresses in this header should be enclosed in square brackets. I haven't seen it it in the wild in person, just in forum posts and the like, so this may be a case of overly-defensive programming. I agree that if the reverse proxy is sending an invalid value, it should be fixed there. It's just such a subtle, silent issue—and the X- headers seem to be especially prone to errors and misconfiguration—that a guard here makes sense to me. Take it or leave it! |
Take a look at this, there's quite a lot of sketchy IPv6 support in ruby's core libs. |
RFC 7239 Section 7.4:
So I think we should handle this for Could you please rebase against master? |
This makes perfect sense to me, thanks for the specs. I'll merge it. |
I reviewed the PR and it looks like we recently merged #1538 which prefered the non-square-brackets representation. However, this has not been released yet. So we could adjust it. Based on the defintion of |
Prevent Rack::Request#host from stripping off the last hextet of an IPv6 address contained in X-Forwarded-Host (and returned by Rack::Request#host_with_port) by enclosing the address in brackets.
IPv6 addresses in the HTTP_HOST, SERVER_NAME, and SERVER_ADDR CGI variables will (should) always be enclosed in brackets.