From 8944af57cbd1fd2962b6adeaed76c6cd41712453 Mon Sep 17 00:00:00 2001 From: Robin McCorkell Date: Sat, 25 Jul 2015 18:10:21 +0100 Subject: Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR' --- config/config.sample.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/config.sample.php b/config/config.sample.php index 3b5632087f6..5c362e94250 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1017,7 +1017,13 @@ $CONFIG = array( /** * Headers that should be trusted as client IP address in combination with - * `trusted_proxies` + * `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use + * 'HTTP_X_FORWARDED_FOR' here. + * + * If set incorrectly, a client can spoof their IP address as visible to + * ownCloud, bypassing access controls and making logs useless! + * + * Defaults to 'HTTP_X_FORWARED_FOR' if unset */ 'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'), -- cgit v1.2.3