Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
I am not understanding the security concerns why X-Forwarded-Fields should be only allowed for known proxies - but that is what the documentation implies.
The current implementation of ForwardedHeadersMiddleware only breaks and logs Unknown proxy: {RemoteIpAndPort} when the flag ForwardedHeaders.XForwardedFor is set.
Address ranges of known networks to accept forwarded headers from.
With other words you can end up with a configuration like:
var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedPrefix };which modifies your request.PathBase even though it comes from an unknown proxy. Is this a bug or by design? If by design maybe documentation could be improved.
XForwardedProto and XForwardedHost are potentially bypassed in the same way.
Expected Behavior
Unknown due to my limited security understanding. Maybe HttpContext.Request.PathBase should be left untouched by the middleware when header comes from an unknown proxy.
Steps To Reproduce
var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedPrefix };
// options.KnownNetworks.Add(new Microsoft.AspNetCore.HttpOverrides.IPNetwork(IPAddress.Parse("0.0.0.0"), 0));
_application.UseForwardedHeaders(options);Exceptions (if any)
No response
.NET Version
9.0.104
Anything else?
I would like to contribute to fix this issue. I am planning to write some tests tomorrow for this and suggest a PR with some more detailed description of the issue.