From: kwintersnc@...
Date: 2018-10-01T13:45:14+00:00
Subject: [ruby-core:89234] [Ruby trunk Bug#15187] IPv6 x-forwarded-host results in "bad URI" error

Issue #15187 has been reported by kwinters (Ken Winters).

----------------------------------------
Bug #15187: IPv6 x-forwarded-host results in "bad URI" error
https://bugs.ruby-lang.org/issues/15187

* Author: kwinters (Ken Winters)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
A request that normally works with IPv4 is failing for IPv6. The webrick server is running behind Apache2, which is setting the x-forwarded-* headers.

```
$ curl -k https://[fd20:8b1e:b255:8154:250:56ff:fea8:4d84]/something
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Bad Request</TITLE></HEAD>
  <BODY>
    <H1>Bad Request</H1>
    bad URI `/api/v3/versions'.
    <HR>
    <ADDRESS>
     WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21) at
     DCU-ADM1-178:4567
    </ADDRESS>
  </BODY>
</HTML>
```

I added some logging to httprequest.rb to output the headers:
(fails) x-forwarded-host: [fd20:8b1e:b255:8154:250:56ff:fea8:4d84]
(works) x-forwarded-host: 10.224.3.178

The bug appears to be in here:
```
     def setup_forwarded_info
      if @forwarded_server = self["x-forwarded-server"]
        @forwarded_server = @forwarded_server.split(",", 2).first
      end
      @forwarded_proto = self["x-forwarded-proto"]
      if host_port = self["x-forwarded-host"]
        host_port = host_port.split(",", 2).first
        @forwarded_host, tmp = host_port.split(":", 2) # HERE
        @forwarded_port = (tmp || (@forwarded_proto == "https" ? 443 : 80)).to_i
      end
      if addrs = self["x-forwarded-for"]
        addrs = addrs.split(",").collect(&:strip)
        addrs.reject!{|ip| PrivateNetworkRegexp =~ ip }
        @forwarded_for = addrs.first
      end
    end
```

Changing it to remove the split avoids the bug, but this simpler implementation doesn't support a port.
```
      if host_port = self["x-forwarded-host"]
        host_port = host_port.split(",", 2).first
        @forwarded_host = host_port # Dropped the split on :
        @forwarded_port = @forwarded_proto == "https" ? 443 : 80
      end
```

Originally filed as https://github.com/ruby/webrick/issues/11 before the bug submission link was updated.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>