diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-08-23 12:24:08 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2016-08-23 12:24:08 +0100 |
| commit | 8e5f8a310c08803c8523784e6f0a71eec2090327 (patch) | |
| tree | 76dfb991c22cbda037dceeb0722df7aaeaf4a59a | |
| parent | f0d7449414c8271fa4c232949ce9b57f32818562 (diff) | |
| download | rspamd-8e5f8a310c08803c8523784e6f0a71eec2090327.tar.gz rspamd-8e5f8a310c08803c8523784e6f0a71eec2090327.zip | |
[Fix] Fix handling of proxied headers in controller
| -rw-r--r-- | src/controller.c | 56 |
1 files changed, 35 insertions, 21 deletions
diff --git a/src/controller.c b/src/controller.c index b77d4e771..e139881fe 100644 --- a/src/controller.c +++ b/src/controller.c @@ -369,29 +369,39 @@ rspamd_controller_check_forwarded (struct rspamd_controller_session *session, * We need to parse and update the header * X-Forwarded-For: client, proxy1, proxy2 */ - comma = memchr (hdr->begin, ',', hdr->len); + comma = rspamd_memrchr (hdr->begin, ',', hdr->len); if (comma != NULL) { - if (rspamd_parse_inet_address (&addr, hdr->begin, - comma - hdr->begin)) { - /* We have addr now, so check if it is still trusted */ - if (ctx->secure_map && - radix_find_compressed_addr (ctx->secure_map, - addr) != RADIX_NO_VALUE) { - /* rspamd_inet_address_to_string is not reentrant */ - rspamd_strlcpy (ip_buf, rspamd_inet_address_to_string (addr), - sizeof (ip_buf)); - msg_info_session ("allow unauthorized proxied connection " - "from a trusted IP %s via %s", - ip_buf, - rspamd_inet_address_to_string (session->from_addr)); - ret = 1; - } - else { - ret = -1; - } - - rspamd_inet_address_destroy (addr); + while (comma < hdr->begin + hdr->len && g_ascii_isspace (*comma)) { + comma ++; + } + } + else { + comma = hdr->begin; + } + if (rspamd_parse_inet_address (&addr, hdr->begin, + comma - hdr->begin)) { + /* We have addr now, so check if it is still trusted */ + if (ctx->secure_map && + radix_find_compressed_addr (ctx->secure_map, + addr) != RADIX_NO_VALUE) { + /* rspamd_inet_address_to_string is not reentrant */ + rspamd_strlcpy (ip_buf, rspamd_inet_address_to_string (addr), + sizeof (ip_buf)); + msg_info_session ("allow unauthorized proxied connection " + "from a trusted IP %s via %s", + ip_buf, + rspamd_inet_address_to_string (session->from_addr)); + ret = 1; } + else { + ret = -1; + } + + rspamd_inet_address_destroy (addr); + } + else { + msg_warn_session ("cannot parse forwarded IP: %T", hdr); + ret = -1; } } else { @@ -419,6 +429,10 @@ rspamd_controller_check_forwarded (struct rspamd_controller_session *session, rspamd_inet_address_destroy (addr); } + else { + msg_warn_session ("cannot parse real IP: %T", hdr); + ret = -1; + } } } |