Skip to content

[release/8.0] Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy #61623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 8, 2025
Merged

[release/8.0] Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy #61623

merged 2 commits into from
May 8, 2025
+82 −9

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Apr 22, 2025
edited by BrennanConroy
Loading

Backport of #61530 to release/8.0

/cc @BrennanConroy @yannic-hamann-abb

Forwarded Headers Middleware: Ignore XForwardedHeaders from Unknown Proxy

Description

If the ForwardedHeadersMiddleware middleware is used without using XForwardedFor then the KnownNetworks and KnownProxies checks are skipped.

Fixes #61449

Customer Impact

Expectations for KnownNetworks and KnownProxies settings are not always met. If you aren't careful with configuring your app (careful meaning aware of this issue), you can end up allowing traffic you didn't intend to allow.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Runs a check that was already there but runs it in more cases.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A
@github-actions github-actions bot requested a review from BrennanConroy as a code owner April 22, 2025 22:32
@ghost ghost added the area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares label Apr 22, 2025
@dotnet-policy-service dotnet-policy-service bot added this to the 8.0.x milestone Apr 22, 2025
@BrennanConroy BrennanConroy added the Servicing-approved Shiproom has approved the issue label Apr 24, 2025
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label May 1, 2025
@wtgodbe wtgodbe merged commit 4c5cbc8 into release/8.0 May 8, 2025
23 of 25 checks passed
@wtgodbe wtgodbe deleted the backport/pr-61530-to-release/8.0 branch May 8, 2025 15:52
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label May 8, 2025
@dotnet-policy-service dotnet-policy-service bot modified the milestones: 8.0.x, 8.0.17 May 8, 2025
@desasta desasta mentioned this pull request Jun 12, 2025
Closed
@maartenba maartenba mentioned this pull request Jun 13, 2025
Merged
@Viktor-36 Viktor-36 mentioned this pull request Jun 16, 2025
Closed
1 task
This was referenced Jul 21, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
This was referenced Oct 1, 2025
Open
Open
Open
Open
Closed
Closed
Open
Open
Open
Open
Closed
Closed
Merged
microsoft-github-policy-service bot pushed a commit to Azure/bicep that referenced this pull request Oct 5, 2025
@dependabot
Bump Microsoft.AspNetCore.Components.WebAssembly from 8.0.15 to 8.0.20 (
907b48d 
#18209) [//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Updated [Microsoft.AspNetCore.Components.WebAssembly](https://github.com/dotnet/aspnetcore) from 8.0.15 to 8.0.20. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.Components.WebAssembly's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 8.0.20 [Release](https://github.com/dotnet/core/releases/tag/v8.0.20) ## What's Changed * Update branding to 8.0.20 by @​vseanreesermsft in dotnet/aspnetcore#63106 * [release/8.0] (deps): Bump src/submodules/googletest from `c67de11` to `373af2e` by @​dependabot[bot] in dotnet/aspnetcore#63038 * [release/8.0] Dispose the certificate chain elements with the chain by @​MackinnonBuck in dotnet/aspnetcore#62994 * [release/8.0] Update SignalR Redis tests to use internal Docker Hub mirror by @​github-actions[bot] in dotnet/aspnetcore#63117 * [release/8.0] [SignalR] Don't throw for message headers in Java client by @​github-actions[bot] in dotnet/aspnetcore#62784 * Merging internal commits for release/8.0 by @​vseanreesermsft in dotnet/aspnetcore#63152 * [release/8.0] Update dependencies from dotnet/extensions by @​dotnet-maestro[bot] in dotnet/aspnetcore#63188 * [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro[bot] in dotnet/aspnetcore#63189 **Full Changelog**: dotnet/aspnetcore@v8.0.19...v8.0.20 ## 8.0.18 [Release](https://github.com/dotnet/core/releases/tag/v8.0.18) ## What's Changed * Update branding to 8.0.18 by @​vseanreesermsft in dotnet/aspnetcore#62241 * [release/8.0] Update Alpine helix references by @​github-actions in dotnet/aspnetcore#62243 * [release/8.0] (deps): Bump src/submodules/googletest from `04ee1b4` to `e9092b1` by @​dependabot in dotnet/aspnetcore#62201 * [8.0] Delete src/arcade directory by @​akoeplinger in dotnet/aspnetcore#61994 * [Backport 8.0] [IIS] Manually parse exe bitness (#​61894) by @​BrennanConroy in dotnet/aspnetcore#62037 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in dotnet/aspnetcore#62006 * [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in dotnet/aspnetcore#61944 * [release/8.0] Associate tagged keys with entries so replacements are not evicted by @​github-actions in dotnet/aspnetcore#62247 * [release/8.0] Block test that is failing after switching to latest-chrome by @​github-actions in dotnet/aspnetcore#62284 * backport(net8.0): http.sys on-demand TLS client hello retrieval by @​DeagleGross in dotnet/aspnetcore#62290 * Merging internal commits for release/8.0 by @​vseanreesermsft in dotnet/aspnetcore#62302 **Full Changelog**: dotnet/aspnetcore@v8.0.17...v8.0.18 ## 8.0.17 ## Bug Fixes - **Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy** ([#​61623](dotnet/aspnetcore#61623)) The Forwarded Headers Middleware now ignores `X-Forwarded-Headers` sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence the forwarded headers, preventing potential spoofing or misrouting of requests. ## Dependency Updates - **Update dependencies from dotnet/arcade** ([#​61832](dotnet/aspnetcore#61832)) This update brings in the latest changes from the dotnet/arcade repository, ensuring that ASP.NET Core benefits from recent improvements, bug fixes, and security patches in the shared build infrastructure. - **Bump src/submodules/googletest from `52204f7` to `04ee1b4`** ([#​61761](dotnet/aspnetcore#61761)) The GoogleTest submodule has been updated to a newer commit, providing the latest testing features, bug fixes, and performance improvements for the project's C++ test components. ## Miscellaneous - **Update branding to 8.0.17** ([#​61830](dotnet/aspnetcore#61830)) The project version branding has been updated to reflect the new 8.0.17 release, ensuring consistency across build outputs and documentation. - **Merging internal commits for release/8.0** ([#​61924](dotnet/aspnetcore#61924)) This change merges various internal commits into the release/8.0 branch, incorporating minor fixes, documentation updates, and other non-user-facing improvements to keep the release branch up to date. --- This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests. **Full Changelog**: dotnet/aspnetcore@v8.0.16...v8.0.17 ## 8.0.16 [Release](https://github.com/dotnet/core/releases/tag/v8.0.16) ## What's Changed * Update branding to 8.0.16 by @​vseanreesermsft in dotnet/aspnetcore#61283 * [release/8.0] (deps): Bump src/submodules/googletest from `24a9e94` to `52204f7` by @​dependabot in dotnet/aspnetcore#61260 * [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in dotnet/aspnetcore#61281 * [release/8.0] Upgrade to Ubuntu 22 by @​wtgodbe in dotnet/aspnetcore#61216 * [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in dotnet/aspnetcore#60901 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in dotnet/aspnetcore#60926 * [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in dotnet/aspnetcore#61404 * Merging internal commits for release/8.0 by @​vseanreesermsft in dotnet/aspnetcore#61398 * [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in dotnet/aspnetcore#61411 * Revert "Revert "[release/8.0] Update remnants of azureedge.net"" by @​wtgodbe in dotnet/aspnetcore#60352 * [release/8.0] Fix preserving messages for stateful reconnect with backplane by @​BrennanConroy in dotnet/aspnetcore#61375 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in dotnet/aspnetcore#61442 * fetch TLS client hello message from HTTP.SYS by @​BrennanConroy in dotnet/aspnetcore#61494 **Full Changelog**: dotnet/aspnetcore@v8.0.15...v8.0.16 Commits viewable in [compare view](dotnet/aspnetcore@v8.0.15...v8.0.20). </details> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Microsoft.AspNetCore.Components.WebAssembly&package-manager=nuget&previous-version=8.0.15&new-version=8.0.20)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/18209) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Oct 6, 2025
Open
Closed
Open
Open
Open
Open
Open
Merged
Closed
Open
Open
Open
Closed
Open
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares Servicing-approved Shiproom has approved the issue

2 participants

@wtgodbe @BrennanConroy