From d0c4af10ab713734de906b5634cfc15cd370fdf4 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 1 Nov 2016 11:55:34 +0000 Subject: [PATCH] Merge r1688399 from trunk: mod_remoteip: Use r->useragent_addr as the root trusted address for verifying. This fixes issue resulting in setting of bad useragent_ip when internal redirection has been generated as response to the request (typically as result of "ErrorDocument 40x"). In this case, the original request has been handled by mod_remoteip and its useragent_ip has been changed properly, but when internal redirection to ErrorDocument has been generated later, the mod_remoteip's handler has been executed again with *the same* c->client_addr as in the original request. If c->client_addr IP is trusted, this results in bad useragent_ip being set. When using r->useragent_addr as the root trusted address instead of c->client_addr, the internal redirection uses the first non-trusted IP in this particular case, so it won't change the r->useragent_ip during the internal redirection to ErrorDocument. Submitted by: jkaluza Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 6 +++++- STATUS | 6 ------ modules/metadata/mod_remoteip.c | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 2eae5b3edd..84151b4d03 100644 --- a/CHANGES +++ b/CHANGES @@ -2,8 +2,12 @@ Changes with Apache 2.4.24 + *) mod_remoteip: Pick up where we left off during a subrequest rather + than running with the modified XFF but original TCP address. + PR 49839/PR 60251 + *) core: avoid adding multiple subrequest filters when there are nested - subrequests. PR58292 + subrequests. PR 58292 *) mod_http2: connection shutdown revisited: corrected edge cases on shutting down ongoing streams, changed log warnings to be less noisy diff --git a/STATUS b/STATUS index bfdda73857..2ec21c78ae 100644 --- a/STATUS +++ b/STATUS @@ -117,12 +117,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_remoteip: Pick up where we left off during a subrequest rather - than running with the modified XFF but original TCP address. PR49839/PR60251 - trunk patch: http://svn.apache.org/r1688399 - 2.4.x patch: trunk works - +1: covener, ylavic, jim - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c index 0a1dfac49d..28e01df297 100644 --- a/modules/metadata/mod_remoteip.c +++ b/modules/metadata/mod_remoteip.c @@ -255,7 +255,7 @@ static int remoteip_modify_request(request_rec *r) } remote = apr_pstrdup(r->pool, remote); - temp_sa = c->client_addr; + temp_sa = r->useragent_addr ? r->useragent_addr : c->client_addr; while (remote) { -- 2.49.0