[Bug 54651] New: mod_remoteip ends up trusting IPs that it doesn't check

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54651

            Bug ID: 54651
           Summary: mod_remoteip ends up trusting IPs that it doesn't
                    check
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_remoteip
          Assignee: bugs@httpd.apache.org
          Reporter: euge...@amazon.com
    Classification: Unclassified

I have confirmed a bug in mod_remoteip.c's remoteip_modify_request function.

This bug was reported by yoshinori.eh...@gmail.com in 2012 in this thread:

http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3CCAHa2qaJSW7Hvk68grWMbbiFSA=zaxq1nr_-a-k-pdwbab0g...@mail.gmail.com%3E

The bug appears to still be in httpd/trunk.

The bug here is that, even though temp_sa gets assigned to a new IP with every
iteration of the while-loop, the apr_ipsubnet_test continues to check the list
of proxy match_ip against the same connection IP (using c->client_addr) over
and over again.  Thus, if c->client_addr matches, the code always walks to the
very beginning of the X-Forwarded-For header.


--- modules/metadata/mod_remoteip.c    (revision 1407459)
+++ modules/metadata/mod_remoteip.c    (working copy)
@@ -246,16 +246,16 @@
     temp_sa = c->client_addr;

     while (remote) {

-        /* verify c->client_addr is trusted if there is a trusted proxy list
+        /* verify temp_sa is trusted if there is a trusted proxy list
          */
         if (config->proxymatch_ip) {
             int i;
             remoteip_proxymatch_t *match;
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
-                if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+                if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
                     internal = match[i].internal;
                     break;
                 }
             }

The fix is to replace apr_ipsubnet_test(match[i].ip, c->client_addr) with
apr_ipsubnet_test(match[i].ip, temp_sa) , and to correct the mention of
c->client_addr comment.  Once fixed, the module works great.


To reproduce this bug, you have to setup mod_remoteip with these directives:

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1

Then, hit make two requests:

1) curl --header 'X-Forwarded-For: 1.2.3.4' http://localhost:80/
2) curl --header 'X-Forwarded-For: 1.2.3.4, 5.6.7.8' http://localhost:80/

For (1) the r->useragent_ip logged is expected to be 1.2.3.4 .  The code
behaves correctly for this case.

For (2) the r->useragent_ip logged should be 5.6.7.8 .  The current code logs
1.2.3.4 still.  This is not the behavior as documented because 5.6.7.8 is not
configured to be "trusted".

EugeneL

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org