*) core: Add expression support to SetHandler.
[Eric Covener]
+ *) mod_remoteip: Prevent an external proxy from presenting an internal
+ proxy. PR 55962. [Mike Rumph]
+
*) core: Prevent a server crash in case of an invalid CONNECT request with
a custom error page for status code 400 that uses server side includes.
PR 58929 [Ruediger Pluem]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_remoteip: Prevent an external proxy from presenting an internal proxy
- PR 55962.
- Trunk version of patch:
- http://svn.apache.org/r1588330
- Trunk patch applies clean, modulo CHANGES
- +1: wrowe, mrumph, jim
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
char *parse_remote;
char *eos;
unsigned char *addrbyte;
+
+ /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+ or RemoteIPTrustedProxyList directive is configured,
+ all proxies will be considered as external trusted proxies.
+ */
void *internal = NULL;
if (!config->header_name) {
return DECLINED;
}
+
+ if (config->proxymatch_ip) {
+ /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+ or RemoteIPTrustedProxyList directive is configured.
+ In this case, default to internal proxy.
+ */
+ internal = (void *) 1;
+ }
remote = (char *) apr_table_get(r->headers_in, config->header_name);
if (!remote) {
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
- internal = match[i].internal;
+ if (internal) {
+ /* Allow an internal proxy to present an external proxy,
+ but do not allow an external proxy to present an internal proxy.
+ In this case, the presented internal proxy will be considered external.
+ */
+ internal = match[i].internal;
+ }
break;
}
}
projects / apache / commitdiff