root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Mention security considerations in Forwarded filters 

This commit improves the Javadoc for the `ForwardedHeaderFilter`
(Servlet Filter) and `ForwardedHeaderTransformer` (reactive variant) so
as to mention security considerations linked to Forwarded HTTP headers.

Closes gh-26081
This commit is contained in:
Brian Clozel 2020-12-03 15:33:37 +01:00
parent 4337d8465c
commit 9776929a9d
2 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
View File

@ -56,8 +56,13 @@ import org.springframework.web.util.UrlPathHelper;
* <li>{@link HttpServletResponse#sendRedirect(String) sendRedirect(String)}.
* </ul>
*
* <p>This filter can also be used in a {@link #setRemoveOnly removeOnly} mode
* where "Forwarded" and "X-Forwarded-*" headers are eliminated, and not used.
* <p>There are security considerations for forwarded headers since an application
* cannot know if the headers were added by a proxy, as intended, or by a malicious
* client. This is why a proxy at the boundary of trust should be configured to
* remove untrusted Forwarded headers that come from the outside.
*
* <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
* in which case it removes but does not use the headers.
*
* @author Rossen Stoyanchev
* @author Eddú Meléndez

11
spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java
View File

@ -36,15 +36,20 @@ import org.springframework.web.util.UriComponentsBuilder;
* the request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects
* the client-originated protocol and address.
*
* <p>Alternatively if {@link #setRemoveOnly removeOnly} is set to "true",
* then "Forwarded" and "X-Forwarded-*" headers are only removed, and not used.
*
* <p>An instance of this class is typically declared as a bean with the name
* "forwardedHeaderTransformer" and detected by
* {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it
* can also be registered directly via
* {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}.
*
* <p>There are security considerations for forwarded headers since an application
* cannot know if the headers were added by a proxy, as intended, or by a malicious
* client. This is why a proxy at the boundary of trust should be configured to
* remove untrusted Forwarded headers that come from the outside.
*
* <p>You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly},
* in which case it removes but does not use the headers.
*
* @author Rossen Stoyanchev
* @since 5.1
* @see <a href="https://tools.ietf.org/html/rfc7239">https://tools.ietf.org/html/rfc7239</a>