ForwardedHeaderFilter should reject invalid requests #31842
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Hello @ravihansa3000, thanks for reaching out. It's not clear from your description whether this is something that used to work with a previous Spring version or if this problem appeared because invalid requests started coming in production. Can you elaborate? Can you give an example of such invalid request? Do you happen to know where this comes from? Is there a specific proxy or client that we should know about? Knowing if this is a custom client or some well-known product would really help. |
bclozel
added
status: waiting-for-feedback
|
In addition, please provide a stacktrace that shows the location of the failure, and also try with the latest 6.0.15 just in case. |
|
Hi @bclozel I don't think this is a regression and the problem appeared in prod when @rstoyanchev This behavior is present in 6.0.15 as well and the exception is raised in |
spring-projects-issues
added
status: feedback-provided
bclozel
changed the title
bclozel
added
type: bug
bclozel
added
the
for: backport-to-6.0.x
github-actions
bot
added
status: backported
|
We should reject invalid requests right away instead of throwing |
Hi, our Spring Boot application using Spring Boot 3.1.4 which includes spring-web:6.0.12 started throwing 5xx due to a malformed X-Forwarded-For header in the requests that were returned with 5xx and this error in our logs; java.lang.IllegalArgumentException: Failed to parse a port from "forwarded"-type headers.
I would suggest introducing a mechanism to skip extracting "forwarded"-type headers in ForwardedHeaderFilter when the header format is invalid. Our service SLOs are impacted by this issue and such incidents attract unnecessary attention. Thanks!
The text was updated successfully, but these errors were encountered: