From 9776929a9d0d0e9bed98df32bf465b756e15b056 Mon Sep 17 00:00:00 2001 From: Brian Clozel Date: Thu, 3 Dec 2020 15:33:37 +0100 Subject: [PATCH] Mention security considerations in Forwarded filters This commit improves the Javadoc for the `ForwardedHeaderFilter` (Servlet Filter) and `ForwardedHeaderTransformer` (reactive variant) so as to mention security considerations linked to Forwarded HTTP headers. Closes gh-26081 --- .../web/filter/ForwardedHeaderFilter.java | 9 +++++++-- .../server/adapter/ForwardedHeaderTransformer.java | 11 ++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java index 40d74ae24f..4a4938b497 100644 --- a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java +++ b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java @@ -56,8 +56,13 @@ import org.springframework.web.util.UrlPathHelper; *
  • {@link HttpServletResponse#sendRedirect(String) sendRedirect(String)}. * * - *

    This filter can also be used in a {@link #setRemoveOnly removeOnly} mode - * where "Forwarded" and "X-Forwarded-*" headers are eliminated, and not used. + *

    There are security considerations for forwarded headers since an application + * cannot know if the headers were added by a proxy, as intended, or by a malicious + * client. This is why a proxy at the boundary of trust should be configured to + * remove untrusted Forwarded headers that come from the outside. + * + *

    You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly}, + * in which case it removes but does not use the headers. * * @author Rossen Stoyanchev * @author EddĂș MelĂ©ndez diff --git a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java index 531d734135..fac2f1acfa 100644 --- a/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java +++ b/spring-web/src/main/java/org/springframework/web/server/adapter/ForwardedHeaderTransformer.java @@ -36,15 +36,20 @@ import org.springframework.web.util.UriComponentsBuilder; * the request URI (i.e. {@link ServerHttpRequest#getURI()}) so it reflects * the client-originated protocol and address. * - *

    Alternatively if {@link #setRemoveOnly removeOnly} is set to "true", - * then "Forwarded" and "X-Forwarded-*" headers are only removed, and not used. - * *

    An instance of this class is typically declared as a bean with the name * "forwardedHeaderTransformer" and detected by * {@link WebHttpHandlerBuilder#applicationContext(ApplicationContext)}, or it * can also be registered directly via * {@link WebHttpHandlerBuilder#forwardedHeaderTransformer(ForwardedHeaderTransformer)}. * + *

    There are security considerations for forwarded headers since an application + * cannot know if the headers were added by a proxy, as intended, or by a malicious + * client. This is why a proxy at the boundary of trust should be configured to + * remove untrusted Forwarded headers that come from the outside. + * + *

    You can also configure the ForwardedHeaderFilter with {@link #setRemoveOnly removeOnly}, + * in which case it removes but does not use the headers. + * * @author Rossen Stoyanchev * @since 5.1 * @see https://tools.ietf.org/html/rfc7239