synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled #9471

matrixbot · 2023-12-18T14:20:06Z

This issue has been migrated from #9471.

Synapse does not check that the chain in X-Forwarded-For is trusted, and so an attacker can spoof their IP address if the reverse proxy does not sanitize X-Forwarded-For. Ideally, we should be able to pass a set of trusted IP addresses, and synapse should only trust X-Forwarded-For if: 1) the request comes from a trusted IP address, and 2) every IP address in X-Forwarded-For, other than the first one, is trusted.

This can be mitigated by ensuring that the X-Forwarded-For header is sanitized before it hits synapse. For example, the public-facing reverse-proxy should remove any X-Forwarded-For header that it receives.

The IP address seems to be used for:

checking that AS requests come from trusted IP addresses
rate limiting registration requests
UI auth (maybe?)
request logging
last-seen IP address for devices

The text was updated successfully, but these errors were encountered:

matrixbot closed this as completed Dec 18, 2023

matrixbot changed the title ~~Dummy issue~~ synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled Dec 21, 2023

matrixbot added Security S-Minor T-Defect labels Dec 21, 2023

matrixbot reopened this Dec 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled #9471

synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled #9471

matrixbot commented Dec 18, 2023 •

edited

Loading

synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled #9471

synapse blindly trusts X-Forwarded-For if x_forwarded option is enabled #9471

Comments

matrixbot commented Dec 18, 2023 • edited Loading

matrixbot commented Dec 18, 2023 •

edited

Loading