tchekai704
/
src-spring-framework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Mention security considerations in Forwarded filters 

This commit improves the Javadoc for the `ForwardedHeaderFilter`
(Servlet Filter) and `ForwardedHeaderTransformer` (reactive variant) so
as to mention security considerations linked to Forwarded HTTP headers.

Closes gh-26081
pull/26211/head
Brian Clozel 4 years ago
parent
4337d8465c
commit
9776929a9d
2 changed files with 15 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
  2. 11
      spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java

9
spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
Unescape View File

@ -56,8 +56,13 @@ import org.springframework.web.util.UrlPathHelper;
* <li>{@link HttpServletResponse#sendRedirect(String) sendRedirect(String)}. * <li>{@link HttpServletResponse#sendRedirect(String) sendRedirect(String)}.
* </ul> * </ul>
* *
* <p>This filter can also be used in a {@link #setRemoveOnly removeOnly} mode * <p>There are security considerations for forwarded headers since an application
* where "Forwarded" and "X-Forwarded-*" headers are eliminated, and not used. * cannot know if the headers were added by a proxy, as intended, or by a malicious
* client. This is why a proxy at the boundary of trust should be configured to
* remove untrusted Forwarded headers that come from the outside.
*
* <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
* in which case it removes but does not use the headers.
* *
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @author Eddú Meléndez * @author Eddú Meléndez

11
spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
Unescape View File

@ -36,15 +36,20 @@ import org.springframework.web.util.UriComponentsBuilder;
* the request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects * the request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects
* the client-originated protocol and address. * the client-originated protocol and address.
* *
* <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true",
* then "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
*
* <p>An instance of this class is typically declared as a bean with the name * <p>An instance of this class is typically declared as a bean with the name
* "forwardedHeaderTransformer" and detected by * "forwardedHeaderTransformer" and detected by
* {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it * {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it
* can also be registered directly via * can also be registered directly via
* {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}. * {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}.
* *
* <p>There are security considerations for forwarded headers since an application
* cannot know if the headers were added by a proxy, as intended, or by a malicious
* client. This is why a proxy at the boundary of trust should be configured to
* remove untrusted Forwarded headers that come from the outside.
*
* <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
* in which case it removes but does not use the headers.
*
* @author Rossen Stoyanchev * @author Rossen Stoyanchev
* @since 5.1 * @since 5.1
* @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a> * @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>

Write Preview
Loading…
Cancel
Save