share: use forwarded IP for geoIP prefix allow list comparison

CL 556157 used the http.Request.RemoteAddr for comparing with the allow list of miscategorized IP prefixes. This is incorrect as it is generally 127.0.0.1 for App Engine traffic. Use X-Forwarded-For instead: https://cloud.google.com/appengine/docs/standard/reference/request-headers For golang/go#65081 Change-Id: Ia0861bdf76dd401c8fa1cd0871c09ae901f5a089 Reviewed-on: https://go-review.googlesource.com/c/playground/+/556195 TryBot-Result: Gopher Robot <[email protected]> Commit-Queue: Robert Findley <[email protected]> Reviewed-by: Hyang-Ah Hana Kim <[email protected]> Run-TryBot: Robert Findley <[email protected]> Auto-Submit: Robert Findley <[email protected]>
golang · Jan 16, 2024 · 7729272 · 7729272
1 parent 46e2687
commit 7729272
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/share.go b/share.go
@@ -107,9 +107,11 @@ func allowShare(r *http.Request) bool {
 	if r.Header.Get("X-AppEngine-Country") != "CN" {
 		return true
 	}
-	for _, prefix := range temporaryAllowListIPPrefixes {
-		if strings.HasPrefix(r.RemoteAddr, prefix) {
-			return true
+	for _, forward := range strings.Split(r.Header.Get("X-Forwarded-For"), ",") {
+		for _, prefix := range temporaryAllowListIPPrefixes {
+			if strings.HasPrefix(strings.TrimSpace(forward), prefix) {
+				return true
+			}
 		}
 	}
 	return false