Changeset

13124:f15e23840780

util.http: Implement parser for RFC 7239 Forwarded header Standardized and structured replacement for the X-Forwarded-For, X-Forwarded-Proto set of headers. Notably, this allows per-hop protocol information, unlike X-Forwarded-Proto which is always a single value for some reason.
author Kim Alvefur <zash@zash.se>
date Sat, 03 Jun 2023 16:15:52 +0200
parents 13123:dee26e4cfb2b
children 13125:90394be5e6a5
files doc/doap.xml spec/util_http_spec.lua util/http.lua
diffstat 3 files changed, 55 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/doc/doap.xml	Thu Jun 01 14:33:57 2023 +0200
+++ b/doc/doap.xml	Sat Jun 03 16:15:52 2023 +0200
@@ -56,6 +56,7 @@
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc6455"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc6901"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc7233"/>
+    <implements rdf:resource="https://www.rfc-editor.org/info/rfc7239"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc7301"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc7395"/>
     <implements rdf:resource="https://www.rfc-editor.org/info/rfc7590"/>
--- a/spec/util_http_spec.lua	Thu Jun 01 14:33:57 2023 +0200
+++ b/spec/util_http_spec.lua	Sat Jun 03 16:15:52 2023 +0200
@@ -108,4 +108,25 @@
 			assert.is_(http.contains_token("fo o", "foo"));
 		end);
 	end);
+
+do
+	describe("parse_forwarded", function()
+		it("works", function()
+			assert.same({ { ["for"] = "[2001:db8:cafe::17]:4711" } }, http.parse_forwarded('For="[2001:db8:cafe::17]:4711"'), "case insensitive");
+
+			assert.same({ { ["for"] = "192.0.2.60"; proto = "http"; by = "203.0.113.43" } }, http.parse_forwarded('for=192.0.2.60;proto=http;by=203.0.113.43'),
+				"separated by semicolon");
+
+			assert.same({ { ["for"] = "192.0.2.43" }; { ["for"] = "198.51.100.17" } }, http.parse_forwarded('for=192.0.2.43, for=198.51.100.17'),
+				"Values from multiple proxy servers can be appended using a comma");
+
+		end)
+		it("rejects quoted quotes", function ()
+			assert.falsy(http.parse_forwarded('foo="bar\"bar'), "quoted quotes");
+		end)
+		pending("deals with quoted quotes", function ()
+			assert.same({ { foo = 'bar"baz' } }, http.parse_forwarded('foo="bar\"bar'), "quoted quotes");
+		end)
+	end)
+end
 end);
--- a/util/http.lua	Thu Jun 01 14:33:57 2023 +0200
+++ b/util/http.lua	Sat Jun 03 16:15:52 2023 +0200
@@ -69,9 +69,42 @@
 	return path;
 end
 
+--- Parse the RFC 7239 Forwarded header into array of key-value pairs.
+local function parse_forwarded(forwarded)
+	if type(forwarded) ~= "string" then
+		return nil;
+	end
+
+	local fwd = {}; -- array
+	local cur = {}; -- map, to which we add the next key-value pair
+	for key, quoted, value, delim in forwarded:gmatch("(%w+)%s*=%s*(\"?)([^,;\"]+)%2%s*(.?)") do
+		-- FIXME quoted quotes like "foo\"bar"
+		-- unlikely when only dealing with IP addresses
+		if quoted == '"' then
+			value = value:gsub("\\(.)", "%1");
+		end
+
+		cur[key:lower()] = value;
+		if delim == "" or delim == "," then
+			t_insert(fwd, cur)
+			if delim == "" then
+				-- end of the string
+				break;
+			end
+			cur = {};
+		elseif delim ~= ";" then
+			-- misparsed
+			return false;
+		end
+	end
+
+	return fwd;
+end
+
 return {
 	urlencode = urlencode, urldecode = urldecode;
 	formencode = formencode, formdecode = formdecode;
 	contains_token = contains_token;
 	normalize_path = normalize_path;
+	parse_forwarded = parse_forwarded;
 };