fix: whitelist and XFF.

2018-05-30 09:26:03 +02:00 · 2018-05-30 09:26:03 +02:00 · 6bcf45f136
parent 8bca8236db
commit 6bcf45f136
3 changed files with 20 additions and 9 deletions
--- a/server/header_rewriter.go
+++ b/server/header_rewriter.go
@ -44,7 +44,7 @@ func (h *headerRewriter) Rewrite(req *http.Request) {

 	err := h.ips.IsAuthorized(req)
 	if err != nil {
-		log.Error(err)
+		log.Debug(err)
 		h.secureRewriter.Rewrite(req)
 		return
 	}
--- a/whitelist/ip.go
+++ b/whitelist/ip.go
@ -61,16 +61,19 @@ func (ip *IP) IsAuthorized(req *http.Request) error {
 		xFFs := req.Header[XForwardedFor]
 		if len(xFFs) > 0 {
 			for _, xFF := range xFFs {
-				ok, err := ip.contains(parseHost(xFF))
-				if err != nil {
-					return err
-				}
+				xffs := strings.Split(xFF, ",")
+				for _, xff := range xffs {
+					ok, err := ip.contains(parseHost(xff))
+					if err != nil {
+						return err
+					}

-				if ok {
-					return nil
-				}
+					if ok {
+						return nil
+					}

-				invalidMatches = append(invalidMatches, xFF)
+					invalidMatches = append(invalidMatches, xff)
+				}
 			}
 		}
 	}
--- a/whitelist/ip_test.go
+++ b/whitelist/ip_test.go
@ -27,6 +27,14 @@ func TestIsAuthorized(t *testing.T) {
 			xForwardedForValues: []string{"1.2.3.1", "10.2.3.1"},
 			authorized:          true,
 		},
+		{
+			desc:                "allow UseXForwardedFor, remoteAddr not in range, UseXForwardedFor in range (compact XFF)",
+			whiteList:           []string{"1.2.3.4/24"},
+			allowXForwardedFor:  true,
+			remoteAddr:          "10.2.3.1:123",
+			xForwardedForValues: []string{"1.2.3.1, 10.2.3.1"},
+			authorized:          true,
+		},
 		{
 			desc:                "allow UseXForwardedFor, remoteAddr in range, UseXForwardedFor in range",
 			whiteList:           []string{"1.2.3.4/24"},