rms/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2026-05-20 18:26:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

lib/httpserver: properly quote the returned address from GetQuotedRemoteAddr() for requests with X-Forwarded-For header

Browse Source 
Make sure that the quoted address can be used as JSON string.

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4676#issuecomment-1663203424

This is a follow up for 252643d100 and ac0b7e0421

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4676
This commit is contained in:
Aliaksandr Valialkin
2023-08-11 05:19:44 -07:00
parent d02fb47c2d
commit fa400f83b6
3 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/httpserver/httpserver.go
View File

@@ -436,11 +436,12 @@ var (
// GetQuotedRemoteAddr returns quoted remote address.
func GetQuotedRemoteAddr(r *http.Request) string {
remoteAddr := strconv.Quote(r.RemoteAddr) // quote remoteAddr and X-Forwarded-For, since they may contain untrusted input
remoteAddr := r.RemoteAddr
if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
remoteAddr += ", X-Forwarded-For: " + strconv.Quote(addr)
remoteAddr += ", X-Forwarded-For: " + addr
}
return remoteAddr
// quote remoteAddr and X-Forwarded-For, since they may contain untrusted input
return strconv.Quote(remoteAddr)
}
// Errorf writes formatted error message to w and to logger.