Actions
Bug #64489
openrgw: pick the last ip in x-forwarded-for chain
% Done:
0%
Source:
Tags:
proxy policy security
Backport:
quincy reef squid
Regression:
No
Severity:
3 - minor
Reviewed:
Description
Currently, when rgw_remote_addr_param is set to HTTP_X_FORWARDED_FOR, it will pick the first IP from the chain. As described here (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) it needs to pick the last one otherwise it can be manipulated by the client and cause access to a bucket (which is protected by a bucket policy based on aws:SourceIP).
Actions