ForwardedHeaderFilter should support case insensitive header name [SPR-14372]

[spring-projects-issues]

Thibaud Lepretre opened SPR-14372 and commented

Since 4.3.0.RELEASE Spring offers a new filter ForwardedHeaderFilter to handle X-Forwarded-* headers (#18192).

However method shouldNotFilter is case sensitive comparaison

@Override
protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
	Enumeration<String> headerNames = request.getHeaderNames();
	while (headerNames.hasMoreElements()) {
		String name = headerNames.nextElement();
		if (FORWARDED_HEADER_NAMES.contains(name)) {
			return false;
		}
	}
	return true;
}

Where RFC7230 - 3.2 Header Fields

Each header field consists of a case-insensitive field name followed by a colon (":")

Regardless RFC7230, NGinX configuration like

proxy_set_header X-Forwarded-Hostname $http_host;

Even with correct case will be transformed and container will received x-forwarded-hostname

---

Affects: 4.3 GA

Reference URL: https://github.com/kakawait/spr-14372

Issue Links:

• ForwardedHeaderFilter should support cases where contextPath should not be replaced with X-Forwarded-Prefix [SPR-14376] #18949 ForwardedHeaderFilter should support cases where contextPath should not be replaced with X-Forwarded-Prefix

Referenced from: commits 919f6c9

1 votes, 2 watchers

[spring-projects-issues]

Thibaud Lepretre commented

I just created a sample to reproduce (you need docker)

https://github.com/kakawait/spr-14372

[spring-projects-issues]

Thibaud Lepretre commented

Quick&Dirty by-pass

private static class ForwardedHeaderFilter extends org.springframework.web.filter.ForwardedHeaderFilter {
    private static final Set<String> FORWARDED_HEADER_NAMES;

    static {
        FORWARDED_HEADER_NAMES = new HashSet<>(5);
        FORWARDED_HEADER_NAMES.add("forwarded");
        FORWARDED_HEADER_NAMES.add("x-forwarded-host");
        FORWARDED_HEADER_NAMES.add("x-forwarded-port");
        FORWARDED_HEADER_NAMES.add("x-forwarded-proto");
        FORWARDED_HEADER_NAMES.add("x-forwarded-prefix");
    }

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
        Enumeration<String> headerNames = request.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String name = headerNames.nextElement();
            if (FORWARDED_HEADER_NAMES.contains(name.toLowerCase())) {
                return false;
            }
        }
        return true;
    }
}

[spring-projects-issues]

Rossen Stoyanchev commented

The fix was a little more involved. Besides the Filter-level check, there are a couple more places (getting the X-Forwarded-Prefix) and masking the X-Forwarded-* headers.

It should be fixed now.