Fix wrap-forwarded-remote addr security issue

Middleware function incorrectly used the first rather than last value
present in the X-Forwarded-For header. This could result in attackers
being able to spoof the :remote-addr key if this middleware was used.
Reported by Daniel Compton <desk@danielcompton.net>.

Author: weavejester

src/ring/middleware/proxy_headers.clj

@@ -4,10 +4,10 @@
 
 (defn wrap-forwarded-remote-addr
   "Middleware that changes the :remote-addr of the request map to the
-  first value present in the X-Forwarded-For header."
+  last value present in the X-Forwarded-For header."
   [handler]
   (fn [request]
     (if-let [forwarded-for (get-in request [:headers "x-forwarded-for"])]
-      (let [remote-addr (str/trim (re-find #"^[^,]*" forwarded-for))]
+      (let [remote-addr (str/trim (re-find #"[^,]*$" forwarded-for))]
         (handler (assoc request :remote-addr remote-addr)))
       (handler request))))

test/ring/middleware/proxy_headers_test.clj

@@ -21,6 +21,6 @@
     (testing "with multiple proxies"
       (let [req  (-> (request :get "/")
                      (assoc :remote-addr "127.0.0.1")
-                     (header "x-forwarded-for" "1.2.3.4, 10.0.1.9, 192.168.4.98"))
+                     (header "x-forwarded-for" "10.0.1.9, 192.168.4.98, 1.2.3.4"))
             resp (handler req)]
         (is (= (:body resp) "1.2.3.4"))))))