From 4dd6260ac8fe62e60be6b42e473d8b39e122fd42 Mon Sep 17 00:00:00 2001
From: Clement Michaud <clement.michaud34@gmail.com>
Date: Wed, 11 Dec 2019 08:29:32 +0100
Subject: [PATCH] Revert "Read X-Real-Ip as the remote IP provided by the
 proxy."

This reverts commit fccb55f714d0427bc2b3e0d5eb4372b1c32bf246.

Avoid exposing Authelia to more attacks by only keeping X-Forwarded-For.
---
 internal/middlewares/authelia_context.go      |  7 +------
 internal/middlewares/authelia_context_test.go | 14 --------------
 2 files changed, 1 insertion(+), 20 deletions(-)

diff --git a/internal/middlewares/authelia_context.go b/internal/middlewares/authelia_context.go
index 05c627e4f..8ade46fe0 100644
--- a/internal/middlewares/authelia_context.go
+++ b/internal/middlewares/authelia_context.go
@@ -153,17 +153,12 @@ func (c *AutheliaCtx) SetJSONBody(value interface{}) error {
 
 // RemoteIP return the remote IP taking X-Forwarded-For header into account if provided.
 func (c *AutheliaCtx) RemoteIP() net.IP {
-	XRealIP := c.RequestCtx.Request.Header.Peek("X-Real-IP")
-	if XRealIP != nil {
-		return net.ParseIP(string(XRealIP))
-	}
-
 	XForwardedFor := c.RequestCtx.Request.Header.Peek("X-Forwarded-For")
 	if XForwardedFor != nil {
 		ips := strings.Split(string(XForwardedFor), ",")
 
 		if len(ips) > 0 {
-			return net.ParseIP(strings.TrimSpace(ips[0]))
+			return net.ParseIP(strings.Trim(ips[0], " "))
 		}
 	}
 	return c.RequestCtx.RemoteIP()
diff --git a/internal/middlewares/authelia_context_test.go b/internal/middlewares/authelia_context_test.go
index b91f45761..35fe46fca 100644
--- a/internal/middlewares/authelia_context_test.go
+++ b/internal/middlewares/authelia_context_test.go
@@ -33,17 +33,3 @@ func TestShouldCallNextWithAutheliaCtx(t *testing.T) {
 
 	assert.True(t, nextCalled)
 }
-
-func TestShouldExtractXRealIPAsRemoteIP(t *testing.T) {
-	ctx := &fasthttp.RequestCtx{}
-	autheliaCtx := middlewares.AutheliaCtx{
-		RequestCtx: ctx,
-	}
-	assert.Equal(t, "0.0.0.0", autheliaCtx.RemoteIP().String())
-
-	ctx.Request.Header.Add("X-Forwarded-For", "10.0.0.1 , 192.168.0.1, 127.0.0.1")
-	assert.Equal(t, "10.0.0.1", autheliaCtx.RemoteIP().String())
-
-	ctx.Request.Header.Add("X-Real-Ip", "10.2.0.1")
-	assert.Equal(t, "10.2.0.1", autheliaCtx.RemoteIP().String())
-}