You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mr...@apache.org on 2014/04/17 20:14:50 UTC
svn commit: r1588330 - in /httpd/httpd/trunk: CHANGES
modules/metadata/mod_remoteip.c
Author: mrumph
Date: Thu Apr 17 18:14:49 2014
New Revision: 1588330
URL: http://svn.apache.org/r1588330
Log:
Prevent an external proxy from presenting an internal proxy
in mod_remoteip.c. PR 55962.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/metadata/mod_remoteip.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1588330&r1=1588329&r2=1588330&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Apr 17 18:14:49 2014
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_remoteip: Prevent an external proxy from presenting an internal
+ proxy. PR 55962. [Mike Rumph]
+
*) mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h. [Jeff Trawick]
Modified: httpd/httpd/trunk/modules/metadata/mod_remoteip.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/metadata/mod_remoteip.c?rev=1588330&r1=1588329&r2=1588330&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
+++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Thu Apr 17 18:14:49 2014
@@ -230,11 +230,24 @@ static int remoteip_modify_request(reque
char *parse_remote;
char *eos;
unsigned char *addrbyte;
+
+ /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+ or RemoteIPTrustedProxyList directive is configured,
+ all proxies will be considered as external trusted proxies.
+ */
void *internal = NULL;
if (!config->header_name) {
return DECLINED;
}
+
+ if (config->proxymatch_ip) {
+ /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+ or RemoteIPTrustedProxyList directive is configured.
+ In this case, default to internal proxy.
+ */
+ internal = (void *) 1;
+ }
remote = (char *) apr_table_get(r->headers_in, config->header_name);
if (!remote) {
@@ -254,7 +267,13 @@ static int remoteip_modify_request(reque
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
- internal = match[i].internal;
+ if (internal) {
+ /* Allow an internal proxy to present an external proxy,
+ but do not allow an external proxy to present an internal proxy.
+ In this case, the presented internal proxy will be considered external.
+ */
+ internal = match[i].internal;
+ }
break;
}
}