Actions
Bug #64489
openrgw: pick the last ip in x-forwarded-for chain
% Done:
0%
Source:
Tags:
proxy policy security
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Description
Currently, when rgw_remote_addr_param is set to HTTP_X_FORWARDED_FOR, it will pick the first IP from the chain. As described here (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) it needs to pick the last one otherwise it can be manipulated by the client and cause access to a bucket (which is protected by a bucket policy based on aws:SourceIP).
Updated by Seena Fallah 3 months ago
Updated by Casey Bodley 2 months ago
- Status changed from New to Fix Under Review
- Assignee set to Seena Fallah
- Tags set to proxy policy security
- Backport changed from reef,quincy,pacific to quincy reef squid
- Pull request ID set to 55646
Actions