Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes in ProxyFix are not documented #1484

Closed
remilapeyre opened this issue Mar 21, 2019 · 6 comments
Closed

Changes in ProxyFix are not documented #1484

remilapeyre opened this issue Mar 21, 2019 · 6 comments

Comments

@remilapeyre
Copy link

remilapeyre commented Mar 21, 2019
edited
Loading

Hi, it seems to me that ProxyFix got changes that were not documented in 0.15. While the documentation give information about the module having changed, it's signature and behavior changed to. The new signature is:

ProxyFix(app, num_proxies=None, x_for=1, x_proto=0, x_host=0, x_port=0, x_prefix=0)

while the old ProxyFix had this behavior: was behaving like this:

ProxyFix(app, num_proxies=None, x_for=1, x_proto=1, x_host=1, x_port=1, x_prefix=1)

As far as I can see, there is no warning in the documentation regarding the change in behavior and since this is not something that is tested with our unit tests, we did not caught it.

Is the change in behavior wanted?
Could we document it more clearly? Especially at https://werkzeug.palletsprojects.com/en/0.15.x/contrib/fixers/ wich only says:

class werkzeug.contrib.fixers.ProxyFix(*args, **kwargs)

Deprecated since version 0.15: werkzeug.contrib.fixers.ProxyFix has moved to werkzeug.middleware.proxy_fix. This import will be removed in 1.0.

Would it be possible that importing from contrib.fixers give the old behavior and for the documentation and the error message give more details about this change?

Thanks a lot!
@davidism
Copy link
Member

The signature of the previous version of ProxyFix from 0.14 is:

werkzeug/werkzeug/contrib/fixers.py

Line 120 in f1d15a2

def __init__(self, app, num_proxies=1):

The x_ parameters are all new in 0.15.

@davidism
Copy link
Member

The fact that you need to specify the count for each one is documented:

werkzeug/src/werkzeug/middleware/proxy_fix.py

Lines 38 to 39 in 129b3fa

You must tell the middleware how many proxies set each header so it
knows what values to trust. It is a security issue to trust values

werkzeug/src/werkzeug/middleware/proxy_fix.py

Lines 62 to 63 in 129b3fa

argument is deprecated. Each header is configured with a
separate number of trusted proxies.

@remilapeyre
Copy link
Author

Hi @davidism, thanks for the response. I did not see a mention that the default behavior changed though. There was a default behavior, there is still one but they differ. Can't we add a warning regarding this?

@rascalking
Copy link

Not for nothing, but by changing the default behavior, you're going to cause anything that's validating a signed http request (like Twilio webhooks) to suddenly decide that all of the signatures it's seeing are wrong.

@allait allait mentioned this issue Mar 22, 2019
Merged
@davidism
Copy link
Member

davidism commented Mar 22, 2019
edited
Loading

In most server setups, the default is probably what you want, or you might enable x_host as well. The various headers are set in various combinations by different platforms and proxies. It is dangerous to make a broad recommendation to set every value to 1, you must set the values according to your specific hosting setup, as stated in the documentation.

@rascalking
Copy link

When working from a clean slate, absolutely. But I think it might make sense to have the contrib wrapper that throws the deprecation warning supply defaults that match what the previous version of the class did.

Some context for why folks might be cranky about this, since this is what happened to me: a fresh pip install of the same project and code, where flask was pinned to 1.0.2, but werkzeug wasn't pinned, can result in a broken site.

@ColdHeat ColdHeat mentioned this issue Apr 19, 2019
Merged
ColdHeat added a commit to CTFd/CTFd that referenced this issue Apr 19, 2019
@ColdHeat
ProxyFix changes (#960)
95e4060 
* Fixes insufficiently documented changes in ProxyFix
    * pallets/werkzeug#1484
* Pin `Werkzeug==0.15.2` in requirements.txt
* Allow exports test to parallelize
@AlbertDeFusco AlbertDeFusco mentioned this issue May 3, 2019
Closed
@davidism davidism mentioned this issue May 14, 2019
Closed
@nritholtz nritholtz mentioned this issue Jul 11, 2019
Merged
6 tasks
JJwang11 pushed a commit to sigpwny/CTFd-badfork that referenced this issue Jan 22, 2020
@ColdHeat
ProxyFix changes (CTFd#960)
8c272ce 
* Fixes insufficiently documented changes in ProxyFix
    * pallets/werkzeug#1484
* Pin `Werkzeug==0.15.2` in requirements.txt
* Allow exports test to parallelize
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rascalking @davidism @remilapeyre