diff options
| -rw-r--r-- | config/config.sample.php | 8 | ||||
| -rw-r--r-- | lib/private/appframework/http/request.php | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index 3b5632087f6..5c362e94250 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1017,7 +1017,13 @@ $CONFIG = array( /** * Headers that should be trusted as client IP address in combination with - * `trusted_proxies` + * `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use + * 'HTTP_X_FORWARDED_FOR' here. + * + * If set incorrectly, a client can spoof their IP address as visible to + * ownCloud, bypassing access controls and making logs useless! + * + * Defaults to 'HTTP_X_FORWARED_FOR' if unset */ 'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'), diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index 43f01dfde3f..aaad286e843 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -452,7 +452,10 @@ class Request implements \ArrayAccess, \Countable, IRequest { $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) { - $forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', []); + $forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [ + 'HTTP_X_FORWARDED_FOR' + // only have one default, so we cannot ship an insecure product out of the box + ]); foreach($forwardedForHeaders as $header) { if(isset($this->server[$header])) { |