You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The whole point of deploying Forwarded instead of the legacy X-Forwarded-* zoo is extensibility. For example, custom parameters could be very useful for identifying proxies reliably (as opposed to the current practice of “take the nth proxy from the end”).
The forwarded attribute has the value ({}, {}, {}).
Note how a comma inside a quoted-string confuses aiohttp, which could even lead to security problems if the application is programmed to look at the nth value from the end or the beginning.
Steps to reproduce
Run this server program:
from aiohttp import web
async def handle(request):
return web.Response(text=repr(request.forwarded))
app = web.Application()
app.router.add_get('/', handle)
web.run_app(app)
I’m experimenting with a different parser: https://gist.github.com/vfaronov/890ec14572d4ccacfa54616e39a43783
It is more correct than aiohttp’s current parser, while being about as fast (in my unscientific tests) and simple. Let me know if you like this approach and want me to make a PR.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new
Long story short
aiohttp.web.BaseRequest.forwarded
does not parse theForwarded
header in accordance with RFC 7239. In particular, it does not support custom parameters.The whole point of deploying
Forwarded
instead of the legacyX-Forwarded-*
zoo is extensibility. For example, custom parameters could be very useful for identifying proxies reliably (as opposed to the current practice of “take the nth proxy from the end”).Expected behaviour
Given a request with headers:
the
forwarded
attribute should have the value:Actual behaviour
The
forwarded
attribute has the value({}, {}, {})
.Note how a comma inside a quoted-string confuses aiohttp, which could even lead to security problems if the application is programmed to look at the nth value from the end or the beginning.
Steps to reproduce
Run this server program:
and send requests to it with curl:
Your environment
aiohttp Git master, Python 3.5, Linux
The text was updated successfully, but these errors were encountered: