Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy

[yannic-hamann-abb]

Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Fixes a bug where, under some conditions, XForwardedPrefix , XForwardedProto and XForwardedHost headers could be tampered with.

Description

This PR makes sure that XForwarded-Headers are only interpreted when they come from a known proxy. As suggested by the documentation..

If the ForwardedHeaders.XForwardedFor flag in ForwardedHeadersOptions isn't set. The ForwardedHeadersMiddleware doesn't check if the request comes from a known proxy.

This means that with the following ForwardedHeadersOptions (or any other combination where ForwardedHeaders.XForwardedFor is missing):

var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedPrefix };
_application.UseForwardedHeaders(options);

the respective X-Forwarded-headers will be always processed by the middleware which have some (security related?) side effects:

• XForwardedPrefix sets context.Request.PathBase
• XForwardedProto sets context.Request.Scheme
• XForwardedHost sets context.Request.Host

With ForwardedHeadersOptions set to ForwardedHeaders.All no side effects would have been executed.

Fixes #61449

This observation has been reported by me via the MSRC-Portal but was classified as a product bug. The following information may be related: aspnet/Announcements#295

[yannic-hamann-abb]

@dotnet-policy-service agree

[BrennanConroy]

/backport to release/9.0

[github-actions]

Started backporting to release/9.0: https://github.com/dotnet/aspnetcore/actions/runs/14605839496

[BrennanConroy]

/backport to release/8.0

[github-actions]

Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/14605854172

[BrennanConroy]

/backport to release/2.3

[github-actions]

Started backporting to release/2.3: https://github.com/dotnet/aspnetcore/actions/runs/14605871270

[github-actions]

@BrennanConroy backporting to "release/2.3" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Header Spoofing Proof for XForwardedProto, XForwardedHost and XForwardedPrefix
Using index info to reconstruct a base tree...
M	src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
CONFLICT (content): Merge conflict in src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Header Spoofing Proof for XForwardedProto, XForwardedHost and XForwardedPrefix
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

[BrennanConroy]

Thanks for the find and fix @yannic-hamann-abb !

[cezarypiatek]

This is a breaking changes!!!

After upgrading from AspnetCore 8.0.15 to 8.0.17 this completly broke my authentication as the ForwardedHeaders = ForwardedHeaders.XForwardedProto was completly ignored and the callback url for external auth provider was without http. I wasted 4h chasing this down. Since now to make it work with azure ingress for container apps you need to clear KnownNetworks and KnownProxies

THIS SHOULD NOT BE INCLUDED IN THE MINOR RELEASE.