[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Reindl Harald h.reindl at thelounge.net
Fri Nov 7 10:37:49 CET 2014


Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:
> Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't
> reflect the client IP if your webserver is behind a reverse proxy or
> load balancer. There's rcube_utils::remote_addr() which extracts the
> real client IP from the headers such intermediate systems add to the
> request

in a sane setup it does
http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not 
trustable and hence "mod_remoteip" or for older Apache versions 
"mod_rpaf" - the important difference is that:

a) the serveradmin knows the server is behind a proxy
b) the serveradmin knows the IP of the proxy
c) what remote_addr() does happens transparent
d) and it happens in a trustable way

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20141107/690790da/attachment.sig>


More information about the dev mailing list