Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support custom Forwarded header parameters #2170

Closed
vfaronov opened this issue Aug 5, 2017 · 3 comments
Closed

Support custom Forwarded header parameters #2170

vfaronov opened this issue Aug 5, 2017 · 3 comments
Labels

Comments

@vfaronov
Copy link
Contributor

vfaronov commented Aug 5, 2017

Long story short

aiohttp.web.BaseRequest.forwarded does not parse the Forwarded header in accordance with RFC 7239. In particular, it does not support custom parameters.

The whole point of deploying Forwarded instead of the legacy X-Forwarded-* zoo is extensibility. For example, custom parameters could be very useful for identifying proxies reliably (as opposed to the current practice of “take the nth proxy from the end”).

Expected behaviour

Given a request with headers:

Forwarded: for=203.40.91.97;by=10.1.2.3;secret=JxED1spY6t;
Forwarded: for=10.1.2.3;by=10.4.5.6;;some="other, stuff"

the forwarded attribute should have the value:

(
    mappingproxy({
        'for': '203.40.91.97',
        'by': '10.1.2.3',
        'secret': 'JxED1spY6t',
    }),
    mappingproxy({
        'for': '10.1.2.3',
        'by': '10.4.5.6',
        'some': 'other, stuff',
    }),
)

Actual behaviour

The forwarded attribute has the value ({}, {}, {}).

Note how a comma inside a quoted-string confuses aiohttp, which could even lead to security problems if the application is programmed to look at the nth value from the end or the beginning.

Steps to reproduce

Run this server program:

from aiohttp import web
async def handle(request):
    return web.Response(text=repr(request.forwarded))
app = web.Application()
app.router.add_get('/', handle)
web.run_app(app)

and send requests to it with curl:

$ curl -v localhost:8080/ \
>   -H 'Forwarded: for=203.40.91.97;by=10.1.2.3;secret=JxED1spY6t;' \
>   -H 'Forwarded: for=10.1.2.3;by=10.4.5.6;;some="other, stuff"'

Your environment

aiohttp Git master, Python 3.5, Linux

@vfaronov
Copy link
Contributor Author

vfaronov commented Aug 5, 2017

I’m experimenting with a different parser:
https://gist.github.com/vfaronov/890ec14572d4ccacfa54616e39a43783
It is more correct than aiohttp’s current parser, while being about as fast (in my unscientific tests) and simple. Let me know if you like this approach and want me to make a PR.

@fafhrd91
Copy link
Member

fafhrd91 commented Aug 5, 2017

+1 I think this makes sense

@lock
Copy link

lock bot commented Oct 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new

@lock lock bot added the outdated label Oct 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants