Skip to content

SSLProxyHeaders trusted without checking source #11

Description

@jdub

I see there's no parameter to define the IP or CIDR of your load balancers / proxies / SSL offloaders, and thus the code can't (and doesn't) check if the connection was made from a trusted source before trusting the SSLProxyHeaders.

Thus, if you happen to deploy in production without a load balancer for some reason (or your proxy doesn't scrub XFP headers), anyone could spoof HTTPS request validity just by sending the appropriate header.

(Note: Knowing the connection was from a trusted source is also important for interpreting X-Forwarded-For headers, which don't seem to be dealt with in this handler or elsewhere in martini-contrib as far as I can see. Unless it makes sense to implement XFF support in the secure handler, the list of IPs / CIDRs to trust should be shared somehow.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions