lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-08-20 08:53:33 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

remove spoof-able request header (#7103)

Browse Source 
* remove spoof-able request header

https://github.com/seaweedfs/seaweedfs/issues/7094#issuecomment-3158320497

* Update weed/security/guard.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Chris Lu 2025-08-06 10:08:30 -07:00 committed by GitHub
parent 0703308270
commit e446234e9c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
weed/security/guard.go
View File

@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc {
} }
func GetActualRemoteHost(r *http.Request) string { func GetActualRemoteHost(r *http.Request) string {
// Check X-Forwarded-For headers first (may contain comma-separated IPs) // For security reasons, only use RemoteAddr to determine the client's IP address.
// HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader // Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients.
host := r.Header.Get("HTTP_X_FORWARDED_FOR")
if host == "" {
host = r.Header.Get("X-FORWARDED-FOR")
}
if host != "" {
for _, ipStr := range strings.Split(host, ",") {
host = strings.TrimSpace(ipStr)
if host != "" {
break
}
}
}
// If no valid IP from X-Forwarded-For, try X-Real-IP (single IP)
if host == "" {
host = r.Header.Get("X-Real-IP")
}
// If we got a host from headers, use it (can be IP or hostname)
if host != "" {
if host = strings.TrimSpace(host); host != "" {
return host
}
}
// If no host from headers, extract from RemoteAddr
host, _, err := net.SplitHostPort(r.RemoteAddr) host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil { if err == nil {
return host return host

6
weed/server/master_server.go
View File

@ -257,12 +257,6 @@ func (ms *MasterServer) proxyToLeader(f http.HandlerFunc) http.HandlerFunc {
// proxy to leader // proxy to leader
glog.V(4).Infoln("proxying to leader", raftServerLeader) glog.V(4).Infoln("proxying to leader", raftServerLeader)
proxy := httputil.NewSingleHostReverseProxy(targetUrl) proxy := httputil.NewSingleHostReverseProxy(targetUrl)
director := proxy.Director
proxy.Director = func(req *http.Request) {
actualHost := security.GetActualRemoteHost(req)
req.Header.Set("HTTP_X_FORWARDED_FOR", actualHost)
director(req)
}
proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport() proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport()
proxy.ServeHTTP(w, r) proxy.ServeHTTP(w, r)
} }