Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop untrusted values from trusted proxy headers #452

Merged
merged 2 commits into from
Nov 15, 2024

Conversation

simonk52
Copy link
Contributor

@simonk52 simonk52 commented Nov 4, 2024

Headers such as X-Forwarded-For, X-Forwarded-Host and Forwarded can contain more values than are actually trusted, leading to the possibility that the downstream application could interpret those headers differently to waitress.

This change rewrites the trusted headers so that they only contain the values from the trusted proxies.

Relates to issue #451

@simonk52 simonk52 force-pushed the drop-untrusted-proxy-values branch from d0f82c1 to 8f321fa Compare November 4, 2024 17:57
@digitalresistor
Copy link
Member

There is no reason to return a new dict called environ_rewrites, we can just update the environment inside the function, we already do that for updating other values in the environment.

Headers such as X-Forwarded-For, X-Forwarded-Host and Forwarded can
contain more values than are actually trusted, leading to the
possibility that the downstream application could interpret those
headers differently to waitress.

This change rewrites the trusted headers so that they only contain the
values from the trusted proxies.
@simonk52 simonk52 force-pushed the drop-untrusted-proxy-values branch from 8f321fa to 5d15571 Compare November 11, 2024 10:16
@digitalresistor
Copy link
Member

Could you sign CONTRIBUTORS.txt please unless you already have and I missed it.

Copy link
Member

@mmerickel mmerickel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@digitalresistor digitalresistor merged commit 291d9cb into Pylons:main Nov 15, 2024
38 checks passed
@simonk52
Copy link
Contributor Author

Thank you! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants