#112 ✓resolved
Iñaki Baz Castillo

Thin shouldn't set SERVER_ADDR with the value of X-Forwarded-For

Reported by Iñaki Baz Castillo | September 13th, 2009 @ 07:00 PM | in Future

Unlike other servers (as Mongrel or Webrick) Thin discards the real request source address if it contains a X-Forwarded-For header, and it sets the Rack variable env[SERVER_ADDR] to the content of X-Forwarded-For.

This is a security risk as a client could spoof the X-Forwarded-For header. For example, some HTTP servers (not just web servers) require Digest 8or Basic) authentication depending on the URL and the source IP. A malicious user could spoof the X-Forwarded-For value to a trusted IP and get private or sensitive information from the Thin server.

IMHO it's responsibility of the application to decide which field to inspect in order to know the client source IP. The application would know if it's behind a http proxy or not, rather than the http server itself.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

People watching this ticket