Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy

[yannic-hamann-abb]

Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Fixes a bug where, under some conditions, XForwardedPrefix , XForwardedProto and XForwardedHost headers could be tampered with.

Description

This PR makes sure that XForwarded-Headers are only interpreted when they come from a known proxy. As suggested by the documentation..

If the ForwardedHeaders.XForwardedFor flag in ForwardedHeadersOptions isn't set. The ForwardedHeadersMiddleware doesn't check if the request comes from a known proxy.

This means that with the following ForwardedHeadersOptions (or any other combination where ForwardedHeaders.XForwardedFor is missing):

var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedPrefix };
_application.UseForwardedHeaders(options);

the respective X-Forwarded-headers will be always processed by the middleware which have some (security related?) side effects:

• XForwardedPrefix sets context.Request.PathBase
• XForwardedProto sets context.Request.Scheme
• XForwardedHost sets context.Request.Host

With ForwardedHeadersOptions set to ForwardedHeaders.All no side effects would have been executed.

Fixes #61449

This observation has been reported by me via the MSRC-Portal but was classified as a product bug. The following information may be related: aspnet/Announcements#295

[yannic-hamann-abb]

@dotnet-policy-service agree

[BrennanConroy]

/backport to release/9.0

[github-actions]

Started backporting to release/9.0: https://github.com/dotnet/aspnetcore/actions/runs/14605839496

[BrennanConroy]

/backport to release/8.0

[github-actions]

Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/14605854172

[BrennanConroy]

/backport to release/2.3

[github-actions]

Started backporting to release/2.3: https://github.com/dotnet/aspnetcore/actions/runs/14605871270

[github-actions]

@BrennanConroy backporting to "release/2.3" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Header Spoofing Proof for XForwardedProto, XForwardedHost and XForwardedPrefix
Using index info to reconstruct a base tree...
M	src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
CONFLICT (content): Merge conflict in src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Header Spoofing Proof for XForwardedProto, XForwardedHost and XForwardedPrefix
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

[BrennanConroy]

Thanks for the find and fix @yannic-hamann-abb !