Error in parser for the "Forwarded" header

http-rs / http-types

Common types for HTTP operations

https://docs.rs/http-types

Apache License 2.0

200 stars 84 forks source link

Error in parser for the "Forwarded" header #374

Closed nanobot248 closed 3 years ago

nanobot248 commented 3 years ago

The proxies::forwarded::Forwarded::parse method currently (i'm using version 2.11.1) assumes, that all for= items are at the beginning of the forwarding header. As far as i can see from https://datatracker.ietf.org/doc/html/rfc7239#page-5 the RFC does not specify a specific position for the for= forwarded-pair.

jbr commented 3 years ago

Are you seeing headers with for in a different position in the wild? My read of the spec was that the "for" section was always first, but I can see how it might be otherwise. If you're seeing them in a different order, that's certainly a bug. Would you mind providing a real world test case that you're seeing?

nanobot248 commented 3 years ago

Basically, when i call Forwarded::value(), it generates a string with the for= pairs not being at the beginning of the string (it starts with by=, then for=, then host= followed by proto=). So at the moment, Forwarded cannot parse its own generated header value. I'm not sure about the current state of (reverse-)proxies. As far as i can tell, the x-forwarded-... headers are still more common. But as always, if the spec allows it, someone is going to do it.