Roundcubemail devel
parent: d71a71 | patch | commitdiff
Felix Eckhofer
2014-03-26 f58a294949547ed132bf3cdb5815b68c659b992a
refs
author Felix Eckhofer <felix@eckhofer.com>
Wednesday, March 26, 2014 09:13 -0400
committer Thomas Bruederli <thomas@roundcube.net>
Friday, April 25, 2014 12:40 -0400
commitf58a294949547ed132bf3cdb5815b68c659b992a
tree 2285e1abf79f45dc7bbc0222651363f4eaf50165 tree | zip | gz
parent d71a711ab06483e62b1a7343e296ef8639352689 view | diff 
Add config variable 'proxy_whitelist'

HTTP headers X_FORWARDED_* and X_REAL_IP are only evaluated when
received from an IP listed in proxy_whitelist. Furthermore, only the
last non-trusted IP from X-Forwarded-For is used in place of the real
ip.

Without this, an attacker can easily spoof the headers and control the
result of the ip or ssl check.

This fixes several problems with [3a4c9f42], [4d480b36] and [a520f331] as
mentioned in #1489729.

Conflicts:
	CHANGELOG
3 files modified
30 ■■■■ changed files
CHANGELOG 1 ●●●● diff | view | raw | blame | history
config/defaults.inc.php 4 ●●●● diff | view | raw | blame | history
program/lib/Roundcube/rcube_utils.php 25 ●●●● diff | view | raw | blame | history