diff --git a/docs/deployment.md b/docs/deployment.md index e1854deff..d69fcf88e 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -376,7 +376,7 @@ Uvicorn can use these headers to correctly set the client and protocol in the re However as anyone can set these headers you must configure which "clients" you will trust to have set them correctly. Uvicorn can be configured to trust IP Addresses (e.g. `127.0.0.1`), IP Networks (e.g. `10.100.0.0/16`), -or Literals (e.g. `/path/to/socket.sock`). When running from CLI these are configured using `--forwarded-trust-ips`. +or Literals (e.g. `/path/to/socket.sock`). When running from CLI these are configured using `--forwarded-allow-ips`. !!! Warning "Only trust clients you can actually trust!" Incorrectly trusting other clients can lead to malicious actors spoofing their apparent client address to your application. diff --git a/tests/middleware/test_proxy_headers.py b/tests/middleware/test_proxy_headers.py index a2cbde775..0ade97450 100644 --- a/tests/middleware/test_proxy_headers.py +++ b/tests/middleware/test_proxy_headers.py @@ -56,6 +56,7 @@ def make_httpx_client( # of the _TrustedHosts.__init__ method. _TRUSTED_NOTHING: list[str] = [] _TRUSTED_EVERYTHING = "*" +_TRUSTED_EVERYTHING_LIST = ["*"] _TRUSTED_IPv4_ADDRESSES = "127.0.0.1, 10.0.0.1" _TRUSTED_IPv4_NETWORKS = ["127.0.0.0/8", "10.0.0.0/8"] _TRUSTED_IPv6_ADDRESSES = [ @@ -65,7 +66,7 @@ def make_httpx_client( "::11.22.33.44", # This is a dual address ] _TRUSTED_IPv6_NETWORKS = "2001:db8:abcd:0012::0/64" -_TRUSTED_LITERALS = "some-literal , unix:///foo/bar , /foo/bar" +_TRUSTED_LITERALS = "some-literal , unix:///foo/bar , /foo/bar, garba*gewith*" @pytest.mark.parametrize( @@ -122,6 +123,7 @@ def make_httpx_client( (_TRUSTED_EVERYTHING, "192.168.0.0", True), (_TRUSTED_EVERYTHING, "192.168.0.1", True), (_TRUSTED_EVERYTHING, "1.1.1.1", True), + (_TRUSTED_EVERYTHING_LIST, "1.1.1.1", True), # Test IPv6 Addresses (_TRUSTED_EVERYTHING, "2001:db8::", True), (_TRUSTED_EVERYTHING, "2001:db8:abcd:0012::0", True), @@ -136,6 +138,7 @@ def make_httpx_client( (_TRUSTED_EVERYTHING, "::b16:212c", True), # aka ::11.22.33.44 (_TRUSTED_EVERYTHING, "a:b:c:d::", True), (_TRUSTED_EVERYTHING, "::a:b:c:d", True), + (_TRUSTED_EVERYTHING_LIST, "::a:b:c:d", True), # Test Literals (_TRUSTED_EVERYTHING, "some-literal", True), (_TRUSTED_EVERYTHING, "unix:///foo/bar", True), @@ -145,6 +148,7 @@ def make_httpx_client( (_TRUSTED_EVERYTHING, "unix:///another/path", True), (_TRUSTED_EVERYTHING, "/another/path", True), (_TRUSTED_EVERYTHING, "", True), + (_TRUSTED_EVERYTHING_LIST, "", True), ## Trust IPv4 Addresses ## ----------------------------- # Test IPv4 Addresses diff --git a/uvicorn/middleware/proxy_headers.py b/uvicorn/middleware/proxy_headers.py index ce4fd8c01..7c3609de6 100644 --- a/uvicorn/middleware/proxy_headers.py +++ b/uvicorn/middleware/proxy_headers.py @@ -68,7 +68,7 @@ class _TrustedHosts: """Container for trusted hosts and networks""" def __init__(self, trusted_hosts: list[str] | str) -> None: - self.always_trust: bool = trusted_hosts == "*" + self.always_trust: bool = trusted_hosts in ("*", ["*"]) self.trusted_literals: set[str] = set() self.trusted_hosts: set[ipaddress.IPv4Address | ipaddress.IPv6Address] = set()