Merge r1688399 from trunk:

mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.

This fixes issue resulting in setting of bad useragent_ip when internal
redirection has been generated as response to the request (typically as
result of "ErrorDocument 40x").

In this case, the original request has been handled by mod_remoteip and its
useragent_ip has been changed properly, but when internal redirection
to ErrorDocument has been generated later, the mod_remoteip's handler has been
executed again with *the same* c->client_addr as in the original request. If
c->client_addr IP is trusted, this results in bad useragent_ip being set.

When using r->useragent_addr as the root trusted address instead of
c->client_addr, the internal redirection uses the first non-trusted
IP in this particular case, so it won't change the r->useragent_ip during
the internal redirection to ErrorDocument.

Submitted by: jkaluza
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 2eae5b3edd2d6e56c2962d5dde229234dcae7e15..84151b4d03980a6fb80a77804ac45b87130c464f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,8 +2,12 @@
 
 Changes with Apache 2.4.24
 
+  *) mod_remoteip: Pick up where we left off during a subrequest rather
+     than running with the modified XFF but original TCP address.
+     PR 49839/PR 60251
+
   *) core: avoid adding multiple subrequest filters when there are nested
-     subrequests.  PR58292
+     subrequests. PR 58292
 
   *) mod_http2: connection shutdown revisited: corrected edge cases on
      shutting down ongoing streams, changed log warnings to be less noisy

diff --git a/STATUS b/STATUS
index bfdda7385753d454deacfc0bc038583656f0f9cb..2ec21c78aeae499c5848a9c6089bd00786fda01e 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -117,12 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_remoteip: Pick up where we left off during a subrequest rather
-     than running with the modified XFF but original TCP address. PR49839/PR60251
-     trunk patch: http://svn.apache.org/r1688399  
-     2.4.x patch: trunk works
-     +1: covener, ylavic, jim
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c
index 0a1dfac49dd6ce4cfe9e6d9c02f91c34c6432763..28e01df2976f6bf28bb71dedf5b98542e18f8cb1 100644 (file)
--- a/modules/metadata/mod_remoteip.c
+++ b/modules/metadata/mod_remoteip.c
@@ -255,7 +255,7 @@ static int remoteip_modify_request(request_rec *r)
     }
     remote = apr_pstrdup(r->pool, remote);
 
-    temp_sa = c->client_addr;
+    temp_sa = r->useragent_addr ? r->useragent_addr : c->client_addr;
 
     while (remote) {