[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Thomas Bruederli thomas at roundcube.net
Fri Nov 7 13:12:26 CET 2014


On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>
> Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:
>>
>> Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't
>> reflect the client IP if your webserver is behind a reverse proxy or
>> load balancer. There's rcube_utils::remote_addr() which extracts the
>> real client IP from the headers such intermediate systems add to the
>> request
>
>
> in a sane setup it does
> http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
>
> rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not
> trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" -
> the important difference is that:

You're certainly right about this but if you look at the
implementation of remote_addr() you'll find that the X-Forwarded-For
header is only considered if the request comes from a known proxy IP
which can be set with the 'proxy_whitelist' config option. For those
not using mod_remoteip, this should do the job.

However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available.

~Thomas


More information about the dev mailing list