pkg/web: X-Forwarded-For multi-IP handling (#45098)

It is conventionally common for the X-Forwarded-For header to contain a comma-separated list of IP addresses, with each intermediate proxy adding an additional item as a request passes through it. This change makes the web framework handle this case appropriately, always selecting the first item in the list.
2025-01-09 23:53:25 -06:00 · 2022-02-08 14:37:19 -05:00 · 2022-02-08 14:37:19 -05:00 · 6a2255abe7
commit 6a2255abe7
parent 2cf421dfe3
1 changed files with 10 additions and 6 deletions
--- a/pkg/web/context.go
+++ b/pkg/web/context.go
@ -77,13 +77,17 @@ func (ctx *Context) run() {
 // RemoteAddr returns more real IP address.
 func (ctx *Context) RemoteAddr() string {
 	addr := ctx.Req.Header.Get("X-Real-IP")
+
 	if len(addr) == 0 {
-		addr = ctx.Req.Header.Get("X-Forwarded-For")
-		if addr == "" {
-			addr = ctx.Req.RemoteAddr
-			if i := strings.LastIndex(addr, ":"); i > -1 {
-				addr = addr[:i]
-			}
+		// X-Forwarded-For may contain multiple IP addresses, separated by
+		// commas.
+		addr = strings.TrimSpace(strings.Split(ctx.Req.Header.Get("X-Forwarded-For"), ",")[0])
+	}
+
+	if len(addr) == 0 {
+		addr = ctx.Req.RemoteAddr
+		if i := strings.LastIndex(addr, ":"); i > -1 {
+			addr = addr[:i]
 		}
 	}
 	return addr