You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mr...@apache.org on 2014/04/17 20:14:50 UTC

svn commit: r1588330 - in /httpd/httpd/trunk: CHANGES modules/metadata/mod_remoteip.c

Author: mrumph
Date: Thu Apr 17 18:14:49 2014
New Revision: 1588330

URL: http://svn.apache.org/r1588330
Log:
Prevent an external proxy from presenting an internal proxy
in mod_remoteip.c. PR 55962.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/metadata/mod_remoteip.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1588330&r1=1588329&r2=1588330&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Apr 17 18:14:49 2014
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_remoteip: Prevent an external proxy from presenting an internal
+     proxy. PR 55962. [Mike Rumph]
+
   *) mod_ssl: Add hooks to allow other modules to perform processing at
      several stages of initialization and connection handling.  See
      mod_ssl_openssl.h.  [Jeff Trawick]

Modified: httpd/httpd/trunk/modules/metadata/mod_remoteip.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?rev=1588330&r1=1588329&r2=1588330&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
+++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Thu Apr 17 18:14:49 2014
@@ -230,11 +230,24 @@ static int remoteip_modify_request(reque
     char *parse_remote;
     char *eos;
     unsigned char *addrbyte;
+
+    /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+       or RemoteIPTrustedProxyList directive is configured,
+       all proxies will be considered as external trusted proxies.
+     */
     void *internal = NULL;
 
     if (!config->header_name) {
         return DECLINED;
     }
+ 
+    if (config->proxymatch_ip) {
+        /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+           or RemoteIPTrustedProxyList directive is configured.
+           In this case, default to internal proxy.
+         */
+        internal = (void *) 1;
+    }
 
     remote = (char *) apr_table_get(r->headers_in, config->header_name);
     if (!remote) {
@@ -254,7 +267,13 @@ static int remoteip_modify_request(reque
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
                 if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
-                    internal = match[i].internal;
+                    if (internal) {
+                        /* Allow an internal proxy to present an external proxy,
+                           but do not allow an external proxy to present an internal proxy.
+                           In this case, the presented internal proxy will be considered external.
+                         */
+                        internal = match[i].internal;
+                    }
                     break;
                 }
             }