Add config variable 'proxy_whitelist'

HTTP headers X_FORWARDED_* and X_REAL_IP are only evaluated when received from an IP listed in proxy_whitelist. Furthermore, only the last non-trusted IP from X-Forwarded-For is used in place of the real ip. Without this, an attacker can easily spoof the headers and control the result of the ip or ssl check. This fixes several problems with [3a4c9f42], [4d480b36] and [a520f331] as mentioned in #1489729.
author: Felix Eckhofer <felix@eckhofer.com> 2014-03-26 14:13:40 +0100
committer: Felix Eckhofer <felix@eckhofer.com> 2014-03-26 20:44:16 +0100
commit: ef721fc430fbb19da13060105577bf7605606b81 (patch)
tree: 39e9c72efb345dc513e27dbfec1a71a14bb3cc01 /config
parent: 3fca238554c90c51e8bc694bc280e0c117958b85 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index e9cc939cb..ffce8e76a 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -358,6 +358,10 @@ $config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.1
 // check client IP in session authorization
 $config['ip_check'] = false;
 
+// List of trusted proxies
+// X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
+$config['proxy_whitelist'] = array();
+
 // check referer of incoming requests
 $config['referer_check'] = false;
author	Felix Eckhofer <felix@eckhofer.com>	2014-03-26 14:13:40 +0100
committer	Felix Eckhofer <felix@eckhofer.com>	2014-03-26 20:44:16 +0100
commit	ef721fc430fbb19da13060105577bf7605606b81 (patch)
tree	39e9c72efb345dc513e27dbfec1a71a14bb3cc01 /config
parent	3fca238554c90c51e8bc694bc280e0c117958b85 (diff)