-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Forwarded-For handling is still unsafe, CVE-2020-28483 is NOT fixed #2862
Comments
Yep, this issue should be resolved, otherwise all the works did before are wasted. |
still waiting for this. |
Hi, #2844 was merged, I think this issue can be closed. |
@Bisstocuz Maybe a release would help. |
When we can expect this issue to be closed and a new release with the fix? |
I am using the latest release v1.7.4, our Image vulnerability scanner complains about CVE-2020-28483`` Is the CVE-2020-28483` fixed? From the pull request it looks like the CVE-2020-28483 is fixed. Want to know if it is just a matter of creating a new release? |
I will bump the new release tag v1.7.5 and close this issue, maybe today or tommorow. |
@appleboy Thank you for the quick response. Will wait for the new release tag v1.7.5 |
@appleboy When can we expect the release to be created? Our service is blocked on the release since we cannot move ahead in our pipeline as the image vulnerability acts as a blocker in our pipeline. Request for the release to be created asap. Thank you. |
@mrgadgil Sorry for the late reply. @thinkerou Do you have time to handle it? Or maybe I will take it tomorrow or the day after tomorrow. |
Hello. When can we expect the release to be created? |
@appleboy @Bisstocuz Updated the |
The 1.7.6 version is the same as 1.7.4. I believe it was released only to cover up some issue with the 1.7.5 release. |
v1.7.7 have released, thanks! https://github.com/gin-gonic/gin/releases |
ixed X-Forwarded-For unsafe gin-gonic/gin#2862
As per gin-gonic/gin#2862, this issue was not fully fixed until gin v1.7.7. Fixes #52. Change-Id: I3c285c72eacd6c09ecc67bab681bdf44a60e2067 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/428036 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]>
Description
X-Forwarded-For
/ trusted proxy handling is incorrect, which makes it possible for anyone to force the value ofc.ClientIP()
, if:X-Forwarded-For
in the usual way, by appending IP addresses at the end(the default configuration trusts every proxy and is of course also vulnerable, in a very trivial way).
This was reported in #2473 with a fix at #2474. That PR did not get merged, and the one that did (#2632) does not fix the issue.
There is a fix for this already at #2844.
How to reproduce
You actually have that in your tests already, see https://github.com/gin-gonic/gin/pull/2844/files#diff-e6ce689a25eaef174c2dd51fe869fabbe04a6c6afbd416b23eda138c82e761baR1432
But here's a standalone version
Expectations
Actual result
Environment
The text was updated successfully, but these errors were encountered: