diff options
author | Felix Eckhofer <felix@eckhofer.com> | 2014-03-26 14:13:40 +0100 |
---|---|---|
committer | Thomas Bruederli <thomas@roundcube.net> | 2014-04-25 18:40:53 +0200 |
commit | f58a294949547ed132bf3cdb5815b68c659b992a (patch) | |
tree | 2285e1abf79f45dc7bbc0222651363f4eaf50165 /config/defaults.inc.php | |
parent | d71a711ab06483e62b1a7343e296ef8639352689 (diff) |
Add config variable 'proxy_whitelist'
HTTP headers X_FORWARDED_* and X_REAL_IP are only evaluated when
received from an IP listed in proxy_whitelist. Furthermore, only the
last non-trusted IP from X-Forwarded-For is used in place of the real
ip.
Without this, an attacker can easily spoof the headers and control the
result of the ip or ssl check.
This fixes several problems with [3a4c9f42], [4d480b36] and [a520f331] as
mentioned in #1489729.
Conflicts:
CHANGELOG
Diffstat (limited to 'config/defaults.inc.php')
-rw-r--r-- | config/defaults.inc.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/config/defaults.inc.php b/config/defaults.inc.php index 8c9b96f1a..2ff764fa1 100644 --- a/config/defaults.inc.php +++ b/config/defaults.inc.php @@ -358,6 +358,10 @@ $config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.1 // check client IP in session athorization $config['ip_check'] = false; +// List of trusted proxies +// X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs +$config['proxy_whitelist'] = array(); + // check referer of incoming requests $config['referer_check'] = false; |