Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For#18688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Forwarded header and a trusted X-Forwarded-Forheader, as this is most likely a misconfigurationwhich causes security flaws.
| $hasTrustedClientIpHeader =self::$trustedHeaders[self::HEADER_CLIENT_IP] &&$this->headers->has(self::$trustedHeaders[self::HEADER_CLIENT_IP]); | ||
| if ($hasTrustedForwardedHeader &&$hasTrustedClientIpHeader) { | ||
| trigger_error('The request has both a trusted Forwarded header and a trusted Client IP header. This is likely a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them. When both headers are set and trusted, this method returns only IPs from the Forwarded header.',E_USER_WARNING); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'm wondering if we could instead throw an exception here. What do you think? Any use case where setting both would be legitimate?
magnusnordlanderMay 3, 2016 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
It could be legitimate as a legacy measure from proxies, if both headers contain the same information, I suppose.
That can be detected of course, I mean, it's just a matter of parsing both headers and see if they have the same IPs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'll update this PR to do that, because we probably don't want neither to warn nor throw exceptions if a proxy sends both headers for backwards compatibility.
magnusnordlander commentedMay 5, 2016
@fabpot: I have now updated the PR to throw exceptions instead, and to not do so when both the Forwarded and X-Forwarded-For header agree with each other. I am a bit worried about the fact that the very commonly used |
| } | ||
| if ($hasTrustedForwardedHeader &&$hasTrustedClientIpHeader &&$forwardedClientIps !==$xForwardedForClientIps) { | ||
| thrownewConflictingHeadersException('The request has both a trusted Forwarded header and a trusted Client IP header, conflicting with each other with regards to the originating IP addresses of the request. This is the result of a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them.'); | ||
| }elseif (!$hasTrustedForwardedHeader && !$hasTrustedClientIpHeader) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This can be simpleif cause you throw exception inif before it.
…s to the Forwarded header (magnusnordlander)This PR was squashed before being merged into the 2.7 branch (closes#6526).Discussion----------Documented how to configure Symfony correctly with regards to the Forwarded header| Q | A| ------------- | ---| Doc fix? | yes| New docs? | no| Applies to | >2.7| Fixed tickets |Ref:symfony/symfony#18688Commits-------87ab598 Documented how to configure Symfony correctly with regards to the Forwarded header
fabpot commentedMay 13, 2016
@magnusnordlander I agree with you that we should bail out as early as possible and consistently. |
| returnself::$trustedProxies && IpUtils::checkIp($this->server->get('REMOTE_ADDR'),self::$trustedProxies); | ||
| } | ||
| privatefunctionnormalizeAndFilterClientIps($clientIps,$ip) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I would typehint the first argument asarray
magnusnordlander commentedMay 13, 2016
I'll give some consideration to where to put this validation, and have an updated PR ready tomorrow (also fixing the other two things, of course). |
nicolas-grekas commentedMay 19, 2016
Status: needs work |
fabpot commentedJun 15, 2016
@magnusnordlander Do you have time in the next few days to update this PR? |
magnusnordlander commentedJun 22, 2016
I'll have time this Friday. |
magnusnordlander commentedJun 25, 2016
So, the code is updated. The remaining build error is because the composer.json of HttpKernel and FrameworkBundle needs to be updated to require the version of HttpFoundation and HttpKernel respectively, that this is released in. I don't know how to handle that without actually making a release. Any help there? |
magnusnordlander commentedJun 27, 2016
Ping@fabpot |
| * | ||
| * @author Magnus Nordlander <magnus@fervo.se> | ||
| */ | ||
| class ValidateRequestClientIpListener implements EventSubscriberInterface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
What about naming this classValidateRequestListener to allow adding more checks in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We already have a genericresponse_listener, so naming itrequest_listener might be an option as well (not sure about possible conflicts with existing end-user listeners though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I should think thatvalidate_request_listener has less potential for conflict
| <tagname="kernel.event_subscriber" /> | ||
| </service> | ||
| <serviceid="validate_request_client_ip_listener"class="Symfony\Component\HttpKernel\EventListener\ValidateRequestClientIpListener"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If we rename the class as I suggest, this should be renamed accordingly (validate_request_listener).
fabpot commentedJun 28, 2016
👍 |
fabpot commentedJun 29, 2016
Thank you@magnusnordlander. |
This PR was merged into the 2.7 branch.Discussion----------fixed HttpKernel dependencies after#18688| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | ~| License | MIT| Doc PR | ~Commits-------f809f3e fixed HttpKernel dependencies after#18688
…pKernel (nicolas-grekas)This PR was merged into the 2.7 branch.Discussion----------[HttpKernel] Inline ValidateRequestListener logic into HttpKernel| Q | A| ------------- | ---| Branch? | 2.7| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets |#18688#19216| License | MIT| Doc PR | -I propose to inline the listener introduced in#18688 into HttpKernel.Commits-------9d3ae85 [HttpKernel] Inline ValidateRequestListener logic into HttpKernel
* 2.7: [HttpKernel] Inline ValidateRequestListener logic into HttpKernel fixed HttpKernel dependencies after#18688Conflicts:src/Symfony/Component/HttpKernel/composer.json
* 2.8: [FrameworkBundle] Fix fixtures [HttpKernel] Inline ValidateRequestListener logic into HttpKernel fixed HttpKernel dependencies after#18688Conflicts:src/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/builder_1_services.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/definition_1.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/definition_2.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/event_dispatcher_1_events.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/legacy_synchronized_service_definition_1.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/legacy_synchronized_service_definition_2.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/parameter.txtsrc/Symfony/Bundle/FrameworkBundle/Tests/Fixtures/Descriptor/route_collection_1.txtsrc/Symfony/Bundle/FrameworkBundle/composer.jsonsrc/Symfony/Component/HttpKernel/composer.json
* 3.0: [FrameworkBundle] Fix fixtures [HttpKernel] Inline ValidateRequestListener logic into HttpKernel fixed HttpKernel dependencies after#18688Conflicts:src/Symfony/Component/HttpKernel/HttpKernel.phpsrc/Symfony/Component/HttpKernel/Tests/HttpKernelTest.php
leandigital commentedJul 21, 2016
Late to the party here, but I just experienced the exception after upgrading to 2.8.8 and landed on this page. The server is behind Akamai, and looks like it's sending both Forwarded and X-Forwarded-For headers. I checked the new documentation and tried disallowing one of the headers, but it didn't help and the error didn't go away. Any ideas why and how do I only allow one of those headers? Here is the snippet I used: Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null); |
ninsuo commentedJul 27, 2016 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Well some of our members use proxies (Forwarded) and we use reverse proxies (X-Forwarded-For), as a result, boom. Do I miss something? |
magnusnordlander commentedJul 28, 2016
@iSyndicate So, first of all, it seems odd that Akamai is sending you different information about the provenance of the request in the different headers. That's not been my experience with them, and I suspect might be a configuration issue. However, you should, as you have attempted, be able to fix that by distrusting one of the headers, and that snippet is indeed correct. In which file, and where, did you put that snippet? @ninsuo: Well, yes. You can't trust the information coming from random strangers (or in this case rather, random clients) on the Internet. Ideally your reverse proxy would be filtering out the untrusted Forwarded header (because, since you have marked it as a trusted proxy, you are relying on it for accurate information on the provenance of the request, and the Forwarded header coming from your clients is not trustworthy), but if that is not possible, you should make sure Symfony distrusts the Forwarded header, as detailed here:http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html#my-reverse-proxy-sends-x-forwarded-for-but-does-not-filter-the-forwarded-header |
ninsuo commentedJul 29, 2016
Thank you for clarification. But as everybody can set any header I don't see any point of using them as a reliable information. We do trust and use only the headers our nginx is setting, no matter what our members are setting. We can use Referer header (as well as lots of others) to flag client as "using a proxy" and giving him a lesser trust score (more chances to get 3DSecure, MFA, ...) and removing it is quite inconvenient. |
hightoxicity commentedJul 29, 2016 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
You can not trust X-Forwarded, Forwarded, both of them, your system engineer is in charge of reading remoteip_addr on the first front node of your infrastructure and provide you (to your framework) the value read in a secure way that you can trust (according together), I think about a dedicated header, your system engineer sets/overrides in all cases. You can keep Forwarded and X-Forwarded headers for information and to decorate... I do not see very well where the Symfony framework has to be intelligent on such security problem. |
magnusnordlander commentedJul 29, 2016
This particular piece of code only runs when you have configured Symfony to trust a proxy server. By default, Symfony doesn't trust any proxy server, and does not consider X-Forwarded-For nor Forwarded to contain reliable information on the Client IP. |
…:setTrustedProxies() - deprecate not setting it (nicolas-grekas)This PR was merged into the 3.3-dev branch.Discussion----------[HttpFoundation] Add $trustedHeaderSet arg to Request::setTrustedProxies() - deprecate not setting it| Q | A| ------------- | ---| Branch? | master| Bug fix? | no| New feature? | yes| BC breaks? | no| Deprecations? | yes| Tests pass? | no tests yet| Fixed tickets | -| License | MIT| Doc PR | -Follow up of#18688PR adds a second `$trustedHeaderSet` argument to `Request::setTrustedProxies()`, can be either `Request::HEADER_FORWARDED` or `Request::HEADER_X_FORWARDED_ALL` to set which header to trust from your proxies - the idea being that without this info, one will get some `ConflictingHeadersException`, but those may be lost in the logs.Commits-------d3c9604 [HttpFoundation] Add $trustedHeaderSet arg to Request::setTrustedProxies() - deprecate not setting it
Uh oh!
There was an error while loading.Please reload this page.
Emit a warning when a request has both a trusted Forwarded header and a trusted X-Forwarded-For header, as this is most likely a misconfiguration which causes security issues.