To be more clear about the end result: prosody 13.0.1 cannot be
accessed via an HTTP proxy that uses x-forwarded-for from an ipv6
address. To reproduce without setting up a proxy:
curl -v -H 'x-forwarded-for: 2605:aaaa:a0c9:c900:d8b3:aaaa:aaaa:aaaa'
0:5280/xmpp-websocket
This results in a 500 response and the following exception:
2025-04-08 17:03:09 http.server error Traceback[httpserver]:
/usr/share/lua/5.4/prosody/util/ip.lua:217: attempt to index a nil
value (local 'ipA')
stack traceback:
/usr/share/lua/5.4/prosody/util/ip.lua:217: in function
'prosody.util.ip.match'
/usr/lib/prosody/modules/mod_http.lua:345: in upvalue 'is_trusted_proxy'
/usr/lib/prosody/modules/mod_http.lua:391: in upvalue
'get_forwarded_connection_info'
/usr/lib/prosody/modules/mod_http.lua:407: in function
</usr/lib/prosody/modules/mod_http.lua:403>
The expected result is a 200. This is a regression since 0.12.5.
You get the expected result if the v6 address is encoded in the
rfc7239 format as the changeset I pointed to above intends, but the
widely used x-forwarded-for format (no brackets around v6 address) is
now broken.
Boris
On Mon, Apr 7, 2025 at 4:28 PM Boris Grozev <[email protected]> wrote:
>
> This change brakes the IPv6 format used in X-Forwarded-For
> https://hg.prosody.im/trunk/rev/90394be5e6a5
>
> X-Forwarded-For doesn't use brackets, and the second regexp meant for
> ipv4 kicks in:
> normal_ip("2001:db8:85a3:8d3:1319:8a2e:370:7348") ---> "2001"
>
> The first attached patch fixes it by only matching four sets of digits
> separated by dots. The new behaviour:
> 1.12.113.24 -> 1.12.113.24
> [2001:db8:85a3:8d3:1319:8a2e:370:7348] -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
> 2001:db8:85a3:8d3:1319:8a2e:370:7348 -> 2001:db8:85a3:8d3:1319:8a2e:370:7348
> 1.12.113.24:443 -> 1.12.113.24
> [2001:db8:85a3:8d3:1319:8a2e:370:7348]:443 ->
> 2001:db8:85a3:8d3:1319:8a2e:370:7348
>
>
> The second patch I've submitted before. It ignores entries in
> X-Forwarded-For when they don't parse as an IP instead of throwing an
> exception and returning HTTP 500. Note with 0.12 this was only
> happening when something included invalid values in the header, but
> with 13 it fails when ipv6 is used with X-Forwarded-For (e.g.
> cloudflare).
>
>
> Regards,
> Boris
--
You received this message because you are subscribed to the Google Groups
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/prosody-dev/CAFCpYuxzBPMPJCZPvvSURobOBD79bmNCLyrq84peBao-WOoTdw%40mail.gmail.com.
