Support multiple proxies in X-Forwarded-For header

2025-12-06 17:27:52 +00:00 · 2019-09-04 01:38:32 -07:00
parent 6cda070fe0
commit ade1afe1b0
2 changed files with 26 additions and 12 deletions
--- a/src/ripple/rpc/impl/Role.cpp
+++ b/src/ripple/rpc/impl/Role.cpp
@@ -19,6 +19,9 @@

 #include <ripple/rpc/Role.h>
 #include <boost/beast/core/string.hpp>
+#include <boost/beast/http/field.hpp>
+#include <boost/beast/http/rfc7230.hpp>
+#include <boost/utility/string_view.hpp>
 #include <algorithm>

 namespace ripple {
@@ -108,14 +111,7 @@ requestInboundEndpoint (Resource::Manager& manager,
 boost::string_view
 forwardedFor(http_request_type const& request)
 {
-    auto it = request.find("X-Forwarded-For");
-    if (it != request.end())
-    {
-        return boost::beast::http::ext_list{
-            it->value()}.begin()->first;
-    }
-
-    it = request.find("Forwarded");
+    auto it = request.find(boost::beast::http::field::forwarded);
    if (it != request.end())
    {
        auto ascii_tolower = [](char c) -> char
@@ -137,10 +133,23 @@ forwardedFor(http_request_type const& request)
            return {};

        found += forStr.size();
-        auto pos{it->value().find(';', forStr.size())};
-        if (pos != boost::string_view::npos)
-            return {found, pos + 1};
-        return {found, it->value().size() - forStr.size()};
+        std::size_t const pos ([&]()
+        {
+            std::size_t const pos{boost::string_view(
+                found, it->value().end() - found).find(';')};
+            if (pos == boost::string_view::npos)
+                return it->value().size() - forStr.size();
+            return pos;
+        }());
+
+        return *boost::beast::http::token_list(
+            boost::string_view(found, pos)).begin();
+    }
+
+    it = request.find("X-Forwarded-For");
+    if (it != request.end())
+    {
+        return *boost::beast::http::token_list(it->value()).begin();
    }

    return {};
--- a/src/test/rpc/Roles_test.cpp
+++ b/src/test/rpc/Roles_test.cpp
@@ -82,6 +82,11 @@ class Roles_test : public beast::unit_test::suite
            rpcRes = env.rpc(headers, "ping")["result"];
            BEAST_EXPECT(rpcRes["ip"] == "55.66.77.88");

+            headers["Forwarded"] = "what=where;for=55.66.77.88, 99.00.11.22;"
+                                   "who=3";
+            rpcRes = env.rpc(headers, "ping")["result"];
+            BEAST_EXPECT(rpcRes["ip"] == "55.66.77.88");
+
            wsRes = makeWSClient(
                env.app().config(), true, 2, headers)->invoke("ping")["result"];
            BEAST_EXPECT(