Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Forwarded Header and Multiple Values #25737

Closed
zdravko-nestorov opened this issue Sep 8, 2020 · 0 comments
Closed

Issue with Forwarded Header and Multiple Values #25737

zdravko-nestorov opened this issue Sep 8, 2020 · 0 comments
Assignees
@poutsma
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
5.2.9

Comments

@zdravko-nestorov
Copy link

zdravko-nestorov commented Sep 8, 2020
edited

According to the RFC7239 specification, syntax for Forwarded Header is as follows:
Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>

This values are used by Spring (all recent versions), if present, in order to reflect the client-originated protocol and address (when allowed through a configuration). There is a problem when using multiple values in this header:

# Multiple values can be appended using a comma
Forwarded: for=192.0.2.43,for=198.51.100.17;proto=https;host=xxx.yyy.com;by=10.97.9.10

The code in UriComponentsBuilder#adaptFromForwardedHeaders:798-800 is getting the first Forwarded Header, if multiple are found, split it by comma and use only the first part:

spring-framework/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java

Line 800 in a4dc13a

String forwardedToUse = StringUtils.tokenizeToStringArray(forwardedHeader, ",")[0];

In our case we have result value - Forwarded: for=192.0.2.43 where all useful information is trimmed.
Is this really an issue or there is something that I am missing?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 8, 2020
@poutsma poutsma self-assigned this Sep 9, 2020
@poutsma poutsma added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement type: bug A general bug and removed type: enhancement A general enhancement labels Sep 9, 2020
@poutsma poutsma added this to the 5.2.9 milestone Sep 10, 2020
@jhoeller jhoeller removed the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 10, 2020
@sync-by-unito sync-by-unito bot mentioned this issue Sep 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@poutsma poutsma

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
5.2.9
Development

No branches or pull requests
4 participants
@poutsma @jhoeller @zdravko-nestorov @spring-projects-issues