Skip to content

is_valid_ip: accept RFC 3986 bracketed IPv6 in X-Forwarded-For#3667

Open
HrachShah wants to merge 1 commit into
tornadoweb:masterfrom
HrachShah:fix/is-valid-ip-bracketed-ipv6
Open

is_valid_ip: accept RFC 3986 bracketed IPv6 in X-Forwarded-For#3667
HrachShah wants to merge 1 commit into
tornadoweb:masterfrom
HrachShah:fix/is-valid-ip-bracketed-ipv6

Conversation

@HrachShah

Copy link
Copy Markdown

What

is_valid_ip (used to validate X-Forwarded-For / X-Real-IP
headers in _apply_xheaders) calls getaddrinfo, which rejects the
RFC 3986 URI-reference bracketed IPv6 form (e.g. [2620:0:d60:ac1a::10])
with EAI_NONAME. Load balancers such as Fortigate emit IPv6 in this
form, so the forwarded address was silently dropped and the request
fell back to the connection peer.

Strip the brackets inside is_valid_ip so the bracketed form is
accepted and validated as a normal IPv6 address, and unwrap the
brackets in _apply_xheaders so the stored remote_ip is always
the bare address.

Fixes #3561.

Some load balancers (e.g. Fortigate) emit IPv6 addresses in X-Forwarded-For
in the URI-reference bracketed form, e.g. '[2620:0:d60:ac1a::10]'. The
existing is_valid_ip check calls getaddrinfo, which rejects the
bracketed form with EAI_NONAME, so these forwarded addresses were
silently dropped and the request fell back to the connection peer.

Strip the brackets inside is_valid_ip so the bracketed form is accepted
and validated as a normal IPv6 address, and unwrap the brackets in
_apply_xheaders so the stored remote_ip is always the bare address.

Fixes tornadoweb#3561.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

x-forwarded-for doesn't work

1 participant