Am 07.11.2014 um 13:12 schrieb Thomas Bruederli:
On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald h.reindl@thelounge.net wrote:
Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:
Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't reflect the client IP if your webserver is behind a reverse proxy or load balancer. There's rcube_utils::remote_addr() which extracts the real client IP from the headers such intermediate systems add to the request
in a sane setup it does http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" - the important difference is that:
You're certainly right about this but if you look at the implementation of remote_addr() you'll find that the X-Forwarded-For header is only considered if the request comes from a known proxy IP which can be set with the 'proxy_whitelist' config option. For those not using mod_remoteip, this should do the job.
please take a look at the mod_remoteip docs
can you assure that you handle the case where the HTTP header contains more than one IP strict enough and what are you doing if the proxy is using one of the AFAIK 3 possible HTTP headers and one of the remaining are present?
in that case and with "mod_remoteip" you only see the untrusted ones in the PHP layer and have no hint that the real one is already translated
so in a large environment that may lead in somebody fixes the HTTP setup because logging and other issues and configures 'mod_remoteip' and that maybe is not the same person who configured roundcube
also consider if the "mod_remoteip" logic/code turns out to contain a security relevant flow (that was indeed the case not so long ago) and get a fix this is applied to every single web application not dealing with that itself __________________________________
Apache 2.4.8:
- mod_remoteip: Correct the trusted proxy match test. PR 54651
- mod_remoteip: Use the correct IP addresses to populate the proxy_ips field
docs are unchanged, but the implementation had an error
However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available
please do so!