[tor-commits] [meek/master] Understand X-Forwarded-For in originalClientIP.

[dcf at torproject.org]

commit 3e4fffbbd1410b07209e6980e7f3516944acdf09
Author: David Fifield <david at bamsoftware.com>
Date:   Mon Dec 14 01:24:50 2015 -0800

    Understand X-Forwarded-For in originalClientIP.
---
 meek-server/useraddr.go |   29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/meek-server/useraddr.go b/meek-server/useraddr.go
index 6695d6d..680a6d8 100644
--- a/meek-server/useraddr.go
+++ b/meek-server/useraddr.go
@@ -4,14 +4,41 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"strings"
 )
 
+// Get the first hostname in an X-Forwarded-For header field value.
+//
+// The X-Forwarded-For header is set automatically by CDNs (and other proxies).
+// There doesn't seem to be any formal specification of it.
+// https://en.wikipedia.org/wiki/X-Forwarded-For says it was originally
+// implemented in Squid. The format appears to be: one or more IPv4 or IPv6
+// addresses, without port numbers, separated by commas and optional whitespace.
+// Because the format is unspecified, we only look at whatever is before the
+// first comma (or end of string).
+func getXForwardedFor(xForwardedFor string) (string, error) {
+	parts := strings.SplitN(xForwardedFor, ",", 2)
+	if len(parts) < 1 {
+		return "", fmt.Errorf("bad X-Forwarded-For value %q", xForwardedFor)
+	}
+	return strings.TrimSpace(parts[0]), nil
+}
+
 // Return the original client IP address as best as it can be determined.
 func originalClientIP(req *http.Request) (net.IP, error) {
-	host, _, err := net.SplitHostPort(req.RemoteAddr)
+	var host string
+	var err error
+
+	xForwardedFor := req.Header.Get("X-Forwarded-For")
+	if xForwardedFor != "" {
+		host, err = getXForwardedFor(xForwardedFor)
+	} else {
+		host, _, err = net.SplitHostPort(req.RemoteAddr)
+	}
 	if err != nil {
 		return nil, err
 	}
+
 	ip := net.ParseIP(host)
 	if ip == nil {
 		return nil, fmt.Errorf("cannot parse %q as IP address")