hertz icon indicating copy to clipboard operation
hertz copied to clipboard

Published 20 hours ago verified publisher icon cloudwego

"ClientIP" handling is unsafe

Open Geometry6151 opened this issue 2 years ago • 2 comments

https://github.com/cloudwego/hertz/blob/3ac19d5b1158badab0c7fc8e47b2e4ba667c4453/pkg/app/context.go#L980-L994

This code has a security risk, when using the ClientIP function it is easy to be spoofed by "X-Real-IP" and "X-Forwarded-For" to bypass the checks。

This problem also occurs with the Gin framework -> https://github.com/gin-gonic/gin/issues/2473 The fix can be found in their issue。

Geometry6151 avatar Aug 01 '22 05:08 Geometry6151

Thanks for reporting! Are you interested in submitting a pr to fix it? It's OK if it is not so, I'll put it into TODOs.

welkeyever avatar Aug 01 '22 05:08 welkeyever

i want to try it, please assign me.

BaiZe1998 avatar Oct 26 '22 14:10 BaiZe1998