Software / code / prosody
Changeset
13835:a4b58ea5bf7b 13.0
mod_http: Log problems parsing IP addresses in X-Forwarded-For (Thanks Boris)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 09 Apr 2025 18:11:57 +0200 |
| parents | 13834:61df1404dd7a |
| children | 13836:c600794cafb6 |
| files | plugins/mod_http.lua |
| diffstat | 1 files changed, 11 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_http.lua Wed Apr 09 15:54:54 2025 +0200 +++ b/plugins/mod_http.lua Wed Apr 09 18:11:57 2025 +0200 @@ -339,7 +339,8 @@ if trusted_proxies[ip] then return true; end - local parsed_ip = new_ip(ip) + local parsed_ip, err = new_ip(ip); + if not parsed_ip then return nil, err; end for trusted_proxy in trusted_proxies do if match_ip(parsed_ip, parse_cidr(trusted_proxy)) then return true; @@ -357,10 +358,14 @@ request.forwarded = forwarded; for i = #forwarded, 1, -1 do local proxy = forwarded[i] - if is_trusted_proxy(ip) then + local trusted, err = is_trusted_proxy(ip); + if trusted then ip = normal_ip(proxy["for"]); secure = secure and proxy.proto == "https"; else + if err then + request.log("warn", "Could not parse forwarded connection details: %s"); + end break end end @@ -387,7 +392,10 @@ -- Case d) If all IPs are in trusted proxies, something went obviously wrong and the logic never overwrites `ip`, leaving it at the original request IP. forwarded_for = forwarded_for..", "..ip; for forwarded_ip in forwarded_for:gmatch("[^%s,]+") do - if not is_trusted_proxy(forwarded_ip) then + local trusted, err = is_trusted_proxy(forwarded_ip); + if err then + request.log("warn", "Could not parse forwarded connection details: %s"); + elseif not trusted then ip = forwarded_ip; end end
