Bug 2018223

Summary: X-Forwarded-For Proxy Fix - does not work with IPv6 Addresses
Product: Red Hat OpenStack Reporter: Harald Jensås <hjensas>
Component: python-werkzeugAssignee: Harald Jensås <hjensas>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: apevec, bcl, jparoly, jschluet, lhh, mburns, pgrist, ykarel
Target Milestone: AlphaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-werkzeug-2.0.1-3.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:17:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2060078    
Bug Blocks:    

Description Harald Jensås 2021-10-28 14:37:20 UTC 
Description of problem:
X-Forwarded-For Proxy Fix does a host.split(":", 1)[1]. This does not work with IPv6 addresses using : separator.
For example splitting [fd00', 'fd00:fd00:0000::2]:13050/ would result in: ['[fd00', 'fd00:fd00:0000::2]:13050/'] and host is incorrectly set to [fd00' i.e only the first hextet of the IPv6 address.

[1] https://github.com/pallets/werkzeug/blob/main/src/werkzeug/middleware/proxy_fix.py#L176

Environment:


Version-Release number of selected component (if applicable):
    Python version: Python 3.6.8
    Werkzeug version: python3-werkzeug-2.0.1-2.el8.noarch

Additional info:
Upstream pull request: https://github.com/pallets/werkzeug/pull/2263
Comment 1 Brian Lane 2021-10-28 16:18:14 UTC 
I don't think you are using the python3-werkzeug from RHEL 8. The version there is 0.12.2-4 and it doesn't appear to have proxy support.
Comment 2 Harald Jensås 2021-10-28 16:28:31 UTC 
I see the problematic code in: python-werkzeug-1.0.1-3.el8ost.src.rpm
Will update product on this bug.
Comment 9 Harald Jensås 2021-11-09 13:25:59 UTC 
I just did a test with upstream Wallaby and this issue reproduces on Wallaby as well.
Comment 10 Harald Jensås 2021-11-09 13:28:07 UTC 
(In reply to Harald Jensås from comment #9)
> I just did a test with upstream Wallaby and this issue reproduces on Wallaby
> as well.

2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main [req-e7dc4b6c-99be-4d5c-8b12-f93c21edece1 - - - - -] Internal server error: ValueError: Invalid IPv6 URL
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main Traceback (most recent call last):
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 169, in wrapper
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return func(*args, **kwargs)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 291, in wrapper
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return func(*args, **kwargs)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 307, in api_root
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     ["v%s" % version['id'].split('.')[0]])
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 217, in create_link_object
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     os.path.join(flask.request.url_root,
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/local.py", line 347, in __getattr__
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return getattr(self._get_current_object(), name)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/utils.py", line 90, in __get__
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     value = self.func(obj)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/wrappers/base_request.py", line 581, in url_root
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return get_current_url(self.environ, True, trusted_hosts=self.trusted_hosts)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/wsgi.py", line 99, in get_current_url
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return uri_to_iri("".join(tmp))
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/urls.py", line 706, in uri_to_iri
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     uri = url_parse(to_unicode(uri, charset))
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/urls.py", line 476, in url_parse
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     raise ValueError("Invalid IPv6 URL")
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main ValueError: Invalid IPv6 URL
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main 

f6f84b2302a6  quay.io/tripleowallaby/openstack-ironic-inspector:current-tripleo 

python3-werkzeug-1.0.1-3.el8.noarch
openstack-ironic-inspector-10.6.2-0.20211005074354.06c6575.el8.noarch
Comment 14 Harald Jensås 2022-05-25 08:55:36 UTC 
*** Bug 2085724 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2022-09-21 12:17:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543