mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
Browse Source

Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'

tags/v8.2beta1
Robin McCorkell 9 years ago
parent
9650f3ecbe
commit
8944af57cb
2 changed files with 11 additions and 2 deletions
Unified View Show Diff Stats
  1. 7
    1
      config/config.sample.php
  2. 4
    1
      lib/private/appframework/http/request.php

+ 7
- 1
config/config.sample.php View File



/** /**
* Headers that should be trusted as client IP address in combination with * Headers that should be trusted as client IP address in combination with
* `trusted_proxies`
* `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
* 'HTTP_X_FORWARDED_FOR' here.
*
* If set incorrectly, a client can spoof their IP address as visible to
* ownCloud, bypassing access controls and making logs useless!
*
* Defaults to 'HTTP_X_FORWARED_FOR' if unset
*/ */
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'), 'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),



+ 4
- 1
lib/private/appframework/http/request.php View File

$trustedProxies = $this->config->getSystemValue('trusted_proxies', []); $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);


if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) { if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', []);
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
'HTTP_X_FORWARDED_FOR'
// only have one default, so we cannot ship an insecure product out of the box
]);


foreach($forwardedForHeaders as $header) { foreach($forwardedForHeaders as $header) {
if(isset($this->server[$header])) { if(isset($this->server[$header])) {

Write Preview
Loading…
Cancel
Save