[Tickets #6133] don't blindly trust x-forwarded-for
bugs at horde.org
bugs at horde.org
Tue Jan 22 15:52:25 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=6133
-----------------------------------------------------------------------
Ticket | 6133
Created By | uhlar at fantomas.sk
Summary | don't blindly trust x-forwarded-for
Queue | Horde Framework Packages
Version | FRAMEWORK_3
Type | Bug
State | Unconfirmed
Priority | 1. Low
Milestone |
Patch |
Owners |
-----------------------------------------------------------------------
uhlar at fantomas.sk (2008-01-22 10:52) wrote:
there are some places in horde where X-Forwarded-For header is used for
specifying IP the connection came from. The X-Forwarded-For is provided by
client that can send anything and it will be used.
This results in e.g. mail headers containing internal IP's unreachable
from server telling nothing to the admin.
Please make usage of X-Forwarded-For optional. The best solution allowing
to trust some (e.g. own) proxies would be to have list of trusted proxies
and check REMOTE_ADDR and HTTP_X_FORWARDED_FOR (from last to first) if they
match trusted proxy and use the fuirst untrusted IP in the list.
More information about the bugs
mailing list