Skip to content

ForwardedHeaderFilter should support case insensitive header name [SPR-14372] #18945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Jun 16, 2016 · 3 comments
Closed

ForwardedHeaderFilter should support case insensitive header name [SPR-14372] #18945

spring-projects-issues opened this issue Jun 16, 2016 · 3 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
4.3.1

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Jun 16, 2016
edited
Loading

Thibaud Lepretre opened SPR-14372 and commented

Since 4.3.0.RELEASE Spring offers a new filter ForwardedHeaderFilter to handle X-Forwarded-* headers (#18192).

However method shouldNotFilter is case sensitive comparaison

@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
	Enumeration<String> headerNames = request.getHeaderNames();
	while (headerNames.hasMoreElements()) {
		String name = headerNames.nextElement();
		if (FORWARDED_HEADER_NAMES.contains(name)) {
			return false;
		}
	}
	return true;
}

Where RFC7230 - 3.2 Header Fields

Each header field consists of a case-insensitive field name followed by a colon (":")

Regardless RFC7230, NGinX configuration like

proxy_set_header X-Forwarded-Hostname $http_host;

Even with correct case will be transformed and container will received x-forwarded-hostname

Affects: 4.3 GA

Reference URL: https://github.com/kakawait/spr-14372

Issue Links:

Referenced from: commits 919f6c9

1 votes, 2 watchers
@spring-projects-issues
Copy link
Collaborator Author

Thibaud Lepretre commented

I just created a sample to reproduce (you need docker)

https://github.com/kakawait/spr-14372

@spring-projects-issues
Copy link
Collaborator Author

Thibaud Lepretre commented

Quick&Dirty by-pass

private static class ForwardedHeaderFilter extends org.springframework.web.filter.ForwardedHeaderFilter {
    private static final Set<String> FORWARDED_HEADER_NAMES;

    static {
        FORWARDED_HEADER_NAMES = new HashSet<>(5);
        FORWARDED_HEADER_NAMES.add("forwarded");
        FORWARDED_HEADER_NAMES.add("x-forwarded-host");
        FORWARDED_HEADER_NAMES.add("x-forwarded-port");
        FORWARDED_HEADER_NAMES.add("x-forwarded-proto");
        FORWARDED_HEADER_NAMES.add("x-forwarded-prefix");
    }

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
        Enumeration<String> headerNames = request.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String name = headerNames.nextElement();
            if (FORWARDED_HEADER_NAMES.contains(name.toLowerCase())) {
                return false;
            }
        }
        return true;
    }
}

@spring-projects-issues
Copy link
Collaborator Author

Rossen Stoyanchev commented

The fix was a little more involved. Besides the Filter-level check, there are a couple more places (getting the X-Forwarded-Prefix) and masking the X-Forwarded-* headers.

It should be fixed now.

@spring-projects-issues spring-projects-issues added type: enhancement A general enhancement in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.3.1 milestone Jan 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
4.3.1
Development

No branches or pull requests
2 participants
@rstoyanchev @spring-projects-issues