Bug 2018223 - X-Forwarded-For Proxy Fix - does not work with IPv6 Addresses
Summary: X-Forwarded-For Proxy Fix - does not work with IPv6 Addresses
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-werkzeug
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: Alpha
: 17.0
Assignee: Harald Jensås
QA Contact: nlevinki
URL:
Whiteboard:
: 2085724 (view as bug list)
Depends On: 2060078
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-28 14:37 UTC by Harald Jensås
Modified: 2022-09-21 12:17 UTC (History)
8 users (show)

Fixed In Version: python-werkzeug-2.0.1-3.el9ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-21 12:17:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github pallets werkzeug issues 2262 0 None closed X-Forwarded-For Proxy Fix - does not work with IPv6 Addresses 2022-01-20 22:28:55 UTC
Github pallets werkzeug pull 2263 0 None Merged Handle IPv6 Addreess in X-Forwarded-For Proxy Fix 2022-01-20 22:28:50 UTC
Github rdo-common python-werkzeug pull 1 0 None Merged ProxyFix support IPv6 Addressing 2022-01-25 22:58:47 UTC
OpenStack Storyboard 2009295 0 None None None 2021-10-28 14:40:55 UTC
Red Hat Issue Tracker OSP-10587 0 None None None 2021-11-17 15:57:59 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:17:41 UTC

Description Harald Jensås 2021-10-28 14:37:20 UTC 
Description of problem:
X-Forwarded-For Proxy Fix does a host.split(":", 1)[1]. This does not work with IPv6 addresses using : separator.
For example splitting [fd00', 'fd00:fd00:0000::2]:13050/ would result in: ['[fd00', 'fd00:fd00:0000::2]:13050/'] and host is incorrectly set to [fd00' i.e only the first hextet of the IPv6 address.

[1] https://github.com/pallets/werkzeug/blob/main/src/werkzeug/middleware/proxy_fix.py#L176

Environment:


Version-Release number of selected component (if applicable):
    Python version: Python 3.6.8
    Werkzeug version: python3-werkzeug-2.0.1-2.el8.noarch

Additional info:
Upstream pull request: https://github.com/pallets/werkzeug/pull/2263
Comment 1 Brian Lane 2021-10-28 16:18:14 UTC 
I don't think you are using the python3-werkzeug from RHEL 8. The version there is 0.12.2-4 and it doesn't appear to have proxy support.
Comment 2 Harald Jensås 2021-10-28 16:28:31 UTC 
I see the problematic code in: python-werkzeug-1.0.1-3.el8ost.src.rpm
Will update product on this bug.
Comment 9 Harald Jensås 2021-11-09 13:25:59 UTC 
I just did a test with upstream Wallaby and this issue reproduces on Wallaby as well.
Comment 10 Harald Jensås 2021-11-09 13:28:07 UTC 
(In reply to Harald Jensås from comment #9)
> I just did a test with upstream Wallaby and this issue reproduces on Wallaby
> as well.

2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main [req-e7dc4b6c-99be-4d5c-8b12-f93c21edece1 - - - - -] Internal server error: ValueError: Invalid IPv6 URL
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main Traceback (most recent call last):
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 169, in wrapper
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return func(*args, **kwargs)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 291, in wrapper
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return func(*args, **kwargs)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 307, in api_root
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     ["v%s" % version['id'].split('.')[0]])
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/ironic_inspector/main.py", line 217, in create_link_object
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     os.path.join(flask.request.url_root,
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/local.py", line 347, in __getattr__
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return getattr(self._get_current_object(), name)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/utils.py", line 90, in __get__
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     value = self.func(obj)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/wrappers/base_request.py", line 581, in url_root
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return get_current_url(self.environ, True, trusted_hosts=self.trusted_hosts)
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/wsgi.py", line 99, in get_current_url
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     return uri_to_iri("".join(tmp))
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/urls.py", line 706, in uri_to_iri
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     uri = url_parse(to_unicode(uri, charset))
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main   File "/usr/lib/python3.6/site-packages/werkzeug/urls.py", line 476, in url_parse
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main     raise ValueError("Invalid IPv6 URL")
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main ValueError: Invalid IPv6 URL
2021-11-09 13:19:09.356 7 ERROR ironic_inspector.main 

f6f84b2302a6  quay.io/tripleowallaby/openstack-ironic-inspector:current-tripleo 

python3-werkzeug-1.0.1-3.el8.noarch
openstack-ironic-inspector-10.6.2-0.20211005074354.06c6575.el8.noarch
Comment 14 Harald Jensås 2022-05-25 08:55:36 UTC 
*** Bug 2085724 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2022-09-21 12:17:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Note You need to log in before you can comment on or make changes to this bug.