DO NOT REPLY [Bug 28125] New: - mod_rewrite causes privacy leak in http proxy

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28125>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28125

mod_rewrite causes privacy leak in http proxy

           Summary: mod_rewrite causes privacy leak in http proxy
           Product: Apache httpd-2.0
           Version: 2.0.49
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ast@domdv.de


If rewrite rules are used within a <Proxy *></Proxy> block mod_rewrite
unconditionally sets r->proxyreq = PROXYREQ_REVERSE which causes
modules/proxy/proxy_http.c to add the following headers to all regular,
i.e. forward proxy requests:

X-Forwarded-For: <local-client-ip>
X-Forwarded-Host: <local-client-hostname>
X-Forwarded-Server: <local-proxy-hostname>

To prevent this privacy leak mod_rewrite must not change the value of
r->proxyreq if it already has the value of PROXYREQ_PROXY.

Note that this is a very valid scenario as mod_rewrite can be used
e.g. to deny certain buggy user agents access to the proxy.

Patch follows.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org