DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28125>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28125 mod_rewrite causes privacy leak in http proxy Summary: mod_rewrite causes privacy leak in http proxy Product: Apache httpd-2.0 Version: 2.0.49 Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: mod_rewrite AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] If rewrite rules are used within a <Proxy *></Proxy> block mod_rewrite unconditionally sets r->proxyreq = PROXYREQ_REVERSE which causes modules/proxy/proxy_http.c to add the following headers to all regular, i.e. forward proxy requests: X-Forwarded-For: <local-client-ip> X-Forwarded-Host: <local-client-hostname> X-Forwarded-Server: <local-proxy-hostname> To prevent this privacy leak mod_rewrite must not change the value of r->proxyreq if it already has the value of PROXYREQ_PROXY. Note that this is a very valid scenario as mod_rewrite can be used e.g. to deny certain buggy user agents access to the proxy. Patch follows. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
