From: Mike Rumph <mrumph@apache.org>
Date: Thu, 17 Apr 2014 18:14:49 +0000 (+0000)
Subject: Prevent an external proxy from presenting an internal proxy
X-Git-Tag: 2.5.0-alpha~4294
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=af0cfb57b79aa9aa531a0ee63223fbae759f2b35;p=apache

Prevent an external proxy from presenting an internal proxy
in mod_remoteip.c. PR 55962.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588330 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4e3ef9c9c5..cb5c9ad76f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_remoteip: Prevent an external proxy from presenting an internal
+     proxy. PR 55962. [Mike Rumph]
+
   *) mod_ssl: Add hooks to allow other modules to perform processing at
      several stages of initialization and connection handling.  See
      mod_ssl_openssl.h.  [Jeff Trawick]
diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c
index 61087590ec..0a1dfac49d 100644
--- a/modules/metadata/mod_remoteip.c
+++ b/modules/metadata/mod_remoteip.c
@@ -230,11 +230,24 @@ static int remoteip_modify_request(request_rec *r)
     char *parse_remote;
     char *eos;
     unsigned char *addrbyte;
+
+    /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+       or RemoteIPTrustedProxyList directive is configured,
+       all proxies will be considered as external trusted proxies.
+     */
     void *internal = NULL;
 
     if (!config->header_name) {
         return DECLINED;
     }
+ 
+    if (config->proxymatch_ip) {
+        /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+           or RemoteIPTrustedProxyList directive is configured.
+           In this case, default to internal proxy.
+         */
+        internal = (void *) 1;
+    }
 
     remote = (char *) apr_table_get(r->headers_in, config->header_name);
     if (!remote) {
@@ -254,7 +267,13 @@ static int remoteip_modify_request(request_rec *r)
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
                 if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
-                    internal = match[i].internal;
+                    if (internal) {
+                        /* Allow an internal proxy to present an external proxy,
+                           but do not allow an external proxy to present an internal proxy.
+                           In this case, the presented internal proxy will be considered external.
+                         */
+                        internal = match[i].internal;
+                    }
                     break;
                 }
             }