Done. Ticket is: https://github.com/akka/akka/issues/19388
I described the potential solution in there and also included possible regex expressions to use. If you want me to take this the next step, which would be making the change myself, let me know. On Friday, January 8, 2016 at 2:15:18 AM UTC-5, rkuhn wrote: > > This sounds like a bug, please open a ticket about this and thanks for > noticing! If you want to follow up with a PR that would be even more > awesome :-) > > Regards, > > Roland > > Sent from my iPhone > > On 07 Jan 2016, at 16:36, Chris Baxter <cba...@gmail.com <javascript:>> > wrote: > > I was looking at the Akka Http code recently, specifically how the > X-Forwarded-For header is parsed into the model header class of the same > name. I noticed that the list of strings that represent the header value > are mapped into RemoteAddress classes, using the companion's apply method > that take a String. In that code, I see InetAddress.getByName being called > which worries me a bit. If what is being passed in there is already an IP > address (not a host name), then no DNS lookup will occur. But, if someone > supplied an explicit X-Forwarded-For header on the request and put a > hostname in there then getByName will do a DNS lookup and that can be slow > and potentially dangerous from a denial of service perspective. From my > experience, the only safe way to take a String and get it into a > InetAddress is to break it down into the individual octet pieces (split on > ".") and then convert those into bytes and then use > InetAddress.getByAddress. If it happened to be a hostname, we throw it out > because none of our proxy servers would ever append a hostname anyway so > it's probably garbage. > > Is this something you guys have given consideration to? Is there any way > I can change how X-Forwarded-For is parsed to avoid such a potential issue? > > -- > >>>>>>>>>> Read the docs: http://akka.io/docs/ > >>>>>>>>>> Check the FAQ: > http://doc.akka.io/docs/akka/current/additional/faq.html > >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user > --- > You received this message because you are subscribed to the Google Groups > "Akka User List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to akka-user+...@googlegroups.com <javascript:>. > To post to this group, send email to akka...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/akka-user. > For more options, visit https://groups.google.com/d/optout. > > -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: >>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
