matrix-media-repo icon indicating copy to clipboard operation
matrix-media-repo copied to clipboard

Published 20 hours ago verified publisher icon t2bot

X-Forwarded-For with proxy addresses is not handled properly

Open Scrin opened this issue 6 months ago • 1 comments

It looks like if one uses a reverse proxy in front of MMR that includes X-Forwarded-For header with possible proxy address(es), MMR does not handle that properly. I believe the issue is here: https://github.com/t2bot/matrix-media-repo/blob/85fabea54375630e4f404ff6ecc8c63fbaa28cdc/api/_routers/03-host_detection.go#L37-L45

If the raddr gets its value from the X-Forwarded-For and the header contains proxy addresses (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#syntax ), then the net.SplitHostPort fails to parse it

Scrin avatar Aug 03 '24 20:08 Scrin