Roundcubemail devel
parent: 3fca23 | patch | commitdiff
Felix Eckhofer
2014-03-26 ef721fc430fbb19da13060105577bf7605606b81
refs
author Felix Eckhofer <felix@eckhofer.com>
Wednesday, March 26, 2014 09:13 -0400
committer Felix Eckhofer <felix@eckhofer.com>
Wednesday, March 26, 2014 15:44 -0400
commitef721fc430fbb19da13060105577bf7605606b81
tree 39e9c72efb345dc513e27dbfec1a71a14bb3cc01 tree | zip | gz
parent 3fca238554c90c51e8bc694bc280e0c117958b85 view | diff 
Add config variable 'proxy_whitelist'

HTTP headers X_FORWARDED_* and X_REAL_IP are only evaluated when
received from an IP listed in proxy_whitelist. Furthermore, only the
last non-trusted IP from X-Forwarded-For is used in place of the real
ip.

Without this, an attacker can easily spoof the headers and control the
result of the ip or ssl check.

This fixes several problems with [3a4c9f42], [4d480b36] and [a520f331] as
mentioned in #1489729.
3 files modified
30 ■■■■ changed files
CHANGELOG 1 ●●●● diff | view | raw | blame | history
config/defaults.inc.php 4 ●●●● diff | view | raw | blame | history
program/lib/Roundcube/rcube_utils.php 25 ●●●● diff | view | raw | blame | history