Open richvdh opened 3 years ago
vaguely related: matrix-org/sydent#299
I've just realised that our reverse proxy docs say nothing about sanitizing the X-Forwarded-For header, so this might be a bit more of an urgent security problem than I thought.
my suggested approach for fixing this would be to allow a trusted_proxies
setting in the listener
configuration, which is a list of IP addresses to be compared against the client IP and X-Forwarded-For
addresses. x_forwarded
can be deprecated.
It is also related to https://github.com/matrix-org/matrix-content-scanner/pull/36
Synapse does not check that the chain in
X-Forwarded-For
is trusted, and so an attacker can spoof their IP address if the reverse proxy does not sanitizeX-Forwarded-For
. Ideally, we should be able to pass a set of trusted IP addresses, and synapse should only trustX-Forwarded-For
if: 1) the request comes from a trusted IP address, and 2) every IP address in X-Forwarded-For, other than the first one, is trusted.This can be mitigated by ensuring that the
X-Forwarded-For
header is sanitized before it hits synapse. For example, the public-facing reverse-proxy should remove anyX-Forwarded-For
header that it receives.The IP address seems to be used for: