Am 07.11.2014 um 12:51 schrieb Cor Bosman:
On 07 Nov 2014, at 12:44, Reindl Harald h.reindl@thelounge.net wrote:
I dont know what roundcube itself does with that info, but I dont think it does anything 'dangerous' with it
*but* dovecot may do depending on the configuration because forwarding that information has the simple reason that otherwise you can't enforce ip based access lists for webmail users
finally that means: don't forward untrustable informations to dovecot
doing so breaks until that happens sane and secure configurations and secure in that context means nobody but the server admin knows the big picture of proxies, NAT and access lists and hence is responsible to deal with that - that's why mod_remoteip exists
Dovecot doesnt. All dovecot does with that information is log the x-forwarded-ip
and than on the server runs "fail2ban" enforcing blocking based on that log - congratulations
That still doesnt compromise your security, but I see your point. A DOS possibility, even a remote possibiity, is annoying.
I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs what to do with the rcube_utils function,
Cor