remove spoof-able request header (#7103)

* remove spoof-able request header https://github.com/seaweedfs/seaweedfs/issues/7094#issuecomment-3158320497 * Update weed/security/guard.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-08 00:24:23 +08:00 · 2025-08-06 10:08:30 -07:00
parent 0703308270
commit e446234e9c
2 changed files with 2 additions and 34 deletions
--- a/weed/security/guard.go
+++ b/weed/security/guard.go
@@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
 }

 func GetActualRemoteHost(r *http.Request) string {
-	// Check X-Forwarded-For headers first (may contain comma-separated IPs)
-	// HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader
-	host := r.Header.Get("HTTP_X_FORWARDED_FOR")
-	if host == "" {
-		host = r.Header.Get("X-FORWARDED-FOR")
-	}
-	if host != "" {
-		for _, ipStr := range strings.Split(host, ",") {
-			host = strings.TrimSpace(ipStr)
-			if host != "" {
-				break
-			}
-		}
-	}
-
-	// If no valid IP from X-Forwarded-For, try X-Real-IP (single IP)
-	if host == "" {
-		host = r.Header.Get("X-Real-IP")
-	}
-
-	// If we got a host from headers, use it (can be IP or hostname)
-	if host != "" {
-		if host = strings.TrimSpace(host); host != "" {
-			return host
-		}
-	}
-
-	// If no host from headers, extract from RemoteAddr
+	// For security reasons, only use RemoteAddr to determine the client's IP address.
+	// Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients.
 	host, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err == nil {
 		return host