Agreed - as many times as I read the spec, I have no idea how I did not see that security advisory. It's flat-out damning to the idea of an "optional" mode. I'll go ahead and rip out the optional processing and will add your suggested idea of a list of subnets to disable parsing. I hope to have a patch later this morning to share. As awful as the name is, I'm thinking RemoteIPProxyProtocolDisableNetworks ARG1 ARG2 ARG3.
-- Daniel Ruggeri On 3/29/2017 4:43 PM, William A Rowe Jr wrote: > This is the gist of my remaining objections. > > It would be nice if the mod_remoteip patch to PROXY protocol followed the > security advisories of the PROXY draft security comments, and we rip out the > 'optional' mode. The remaining objection is around the ambiguity of 'optional' > (which can't exist) and the objection that how PROXY works as an implicit > trust model using mod_remoteip is laughable, since the connection cannot > be established without some PROXY protocol line interceptor yanking the > garbage out of otherwise well-formed HTTP/1.1 - HTTP-TLS - h2c - h2 input. > > There is no 'untrusted PROXY header input' because that isn't part of the > HTTP protocol and that garbage generates a 400 without an interceptor. > No problem declaring that if we are willing to decode it, we will accept the > input as gospel.