Need to check real IP address for proxy deployments or document behaviour #47
Labels
3.x
Issue or PR for stable 3.x version
docs
Something is missing in docs
enhancement
Make it better!
security
Projects
Milestone
Checking the
X-Forwarded-For
header field for IP address filtering here might not be enough for some deployments.E.g.
The exemplified use cases are (hopefully) unusual but still very possible, especially in testing environments. In each of these cases, one could easily impersonate Telegram by sending HTTP requests to the server's public IP address and forging the
X-Forwarded-For
header field.Although this does seem more like a IT administration issue than an aiogram issue, I think this should at least be documented, since a developer (especially one that's less-then-savvy with computer networks) could legitimately presume that the IP address filtering functionality would provide complete security against such attacks. I could also imagine larger deployments in which the above presumptions could be true for performance reasons.
If you are also considering a hard fix, here are some ideas:
X-Forwarded-For
HTTP header field instead of determining it through the current logic (secure by updating bot code, probably breaks code compatibility)The text was updated successfully, but these errors were encountered: