[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Reindl Harald h.reindl at thelounge.net
Fri Nov 7 12:24:39 CET 2014


Am 07.11.2014 um 12:17 schrieb Cor Bosman:
> I changed my plugin to use the rcube_utils function,
> https://github.com/corbosman/ident
>
> Reindl has a point though, but that should be changed in that function then

it can't

the point of "mod_remoteip" is that you never face the phyiscal IP 
anywhere in the application, not in the logs and not in apache modules 
like mod_security if they are implemented correctly

if you read the mod_remoteip docs careful you see that this header can 
list more than one address (two proxys between the user and your own 
proxy which adds his physical client ID) and hence it is important which 
is your own trusted one nad god beware you try to handle that inside the 
application and making mistakes if the result is used for authentication 
and permissions

that's why you *never* should deal with that inside a webapp and keep 
the resposibility by the webserver admin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20141107/d9fb68c0/attachment.sig>


More information about the dev mailing list