Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

remove spoof-able request header (#7103) 

* remove spoof-able request header

https://github.com/seaweedfs/seaweedfs/issues/7094#issuecomment-3158320497

* Update weed/security/guard.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
pull/7106/head
Chris Lu 3 months ago
committed by GitHub
parent
0703308270
commit
e446234e9c
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 34 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      weed/security/guard.go
  2. 6
      weed/server/master_server.go

30
weed/security/guard.go
View File

@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
}
func GetActualRemoteHost(r *http.Request) string {
// Check X-Forwarded-For headers first (may contain comma-separated IPs)
// HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader
host := r.Header.Get("HTTP_X_FORWARDED_FOR")
if host == "" {
host = r.Header.Get("X-FORWARDED-FOR")
}
if host != "" {
for _, ipStr := range strings.Split(host, ",") {
host = strings.TrimSpace(ipStr)
if host != "" {
break
}
}
}
// If no valid IP from X-Forwarded-For, try X-Real-IP (single IP)
if host == "" {
host = r.Header.Get("X-Real-IP")
}
// If we got a host from headers, use it (can be IP or hostname)
if host != "" {
if host = strings.TrimSpace(host); host != "" {
return host
}
}
// If no host from headers, extract from RemoteAddr
// For security reasons, only use RemoteAddr to determine the client's IP address.
// Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients.
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil {
return host

6
weed/server/master_server.go
View File

@ -257,12 +257,6 @@ func (ms *MasterServer) proxyToLeader(f http.HandlerFunc) http.HandlerFunc {
// proxy to leader
glog.V(4).Infoln("proxying to leader", raftServerLeader)
proxy := httputil.NewSingleHostReverseProxy(targetUrl)
director := proxy.Director
proxy.Director = func(req *http.Request) {
actualHost := security.GetActualRemoteHost(req)
req.Header.Set("HTTP_X_FORWARDED_FOR", actualHost)
director(req)
}
proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport()
proxy.ServeHTTP(w, r)
}

Write Preview
Loading…
Cancel
Save