From 2408a6a6ee331c3621937824795a89110cddd34f Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Tue, 16 Feb 2016 13:19:01 +0000
Subject: [PATCH] Merge r1588330 from trunk:

Prevent an external proxy from presenting an internal proxy
in mod_remoteip.c. PR 55962.

Submitted by: mrumph
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1730684 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  3 +++
 STATUS                          |  6 ------
 modules/metadata/mod_remoteip.c | 21 ++++++++++++++++++++-
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index a69519976d..a01e4643b8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@ Changes with Apache 2.4.19
   *) core: Add expression support to SetHandler.
      [Eric Covener]
 
+  *) mod_remoteip: Prevent an external proxy from presenting an internal
+     proxy. PR 55962. [Mike Rumph]
+
   *) core: Prevent a server crash in case of an invalid CONNECT request with
      a custom error page for status code 400 that uses server side includes.
      PR 58929 [Ruediger Pluem]
diff --git a/STATUS b/STATUS
index fb6101a1f5..5ee7c40dd6 100644
--- a/STATUS
+++ b/STATUS
@@ -112,12 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_remoteip: Prevent an external proxy from presenting an internal proxy
-     PR 55962.
-     Trunk version of patch:
-         http://svn.apache.org/r1588330
-     Trunk patch applies clean, modulo CHANGES
-     +1: wrowe, mrumph, jim
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c
index 61087590ec..0a1dfac49d 100644
--- a/modules/metadata/mod_remoteip.c
+++ b/modules/metadata/mod_remoteip.c
@@ -230,11 +230,24 @@ static int remoteip_modify_request(request_rec *r)
     char *parse_remote;
     char *eos;
     unsigned char *addrbyte;
+
+    /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+       or RemoteIPTrustedProxyList directive is configured,
+       all proxies will be considered as external trusted proxies.
+     */
     void *internal = NULL;
 
     if (!config->header_name) {
         return DECLINED;
     }
+ 
+    if (config->proxymatch_ip) {
+        /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+           or RemoteIPTrustedProxyList directive is configured.
+           In this case, default to internal proxy.
+         */
+        internal = (void *) 1;
+    }
 
     remote = (char *) apr_table_get(r->headers_in, config->header_name);
     if (!remote) {
@@ -254,7 +267,13 @@ static int remoteip_modify_request(request_rec *r)
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
                 if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
-                    internal = match[i].internal;
+                    if (internal) {
+                        /* Allow an internal proxy to present an external proxy,
+                           but do not allow an external proxy to present an internal proxy.
+                           In this case, the presented internal proxy will be considered external.
+                         */
+                        internal = match[i].internal;
+                    }
                     break;
                 }
             }
-- 
2.40.0