Thin shouldn't set SERVER_ADDR with the value of X-Forwarded-For
Reported by Iñaki Baz Castillo | September 13th, 2009 @ 07:00 PM | in Future
Unlike other servers (as Mongrel or Webrick) Thin discards the real request source address if it contains a X-Forwarded-For header, and it sets the Rack variable env[SERVER_ADDR] to the content of X-Forwarded-For.
This is a security risk as a client could spoof the X-Forwarded-For header. For example, some HTTP servers (not just web servers) require Digest 8or Basic) authentication depending on the URL and the source IP. A malicious user could spoof the X-Forwarded-For value to a trusted IP and get private or sensitive information from the Thin server.
IMHO it's responsibility of the application to decide which field to inspect in order to know the client source IP. The application would know if it's behind a http proxy or not, rather than the http server itself.
Comments and changes to this ticket
-
macournoyer September 13th, 2009 @ 07:57 PM
- State changed from “new” to “resolved”
This should be fixed in latest version (1.2.4), see commit: http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47...
pls reopen if you still see an issue.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
macournoyer