On Jun 2, 2010, at 05:00, June 1, 2010 05:17:39 PDT, Richard Hipp wrote:
> [7] In the odd case that I actually convinced you that http proxying
> is a
> better solution than SCGI for integrating a fossil repo into a larger
> website, adding support for "X-Forwarded-For" is just a few extra
> lines of
> code in "cgi_init()":
>
> z = (char*)P("REMOTE_ADDR");
> if( z ) g.zIpAddr = mprintf("%s", z);
> + z = (char*)P("X_FORWARDED_FOR");
> + if( z ) g.zIpAddr = mprintf("%s", z);
>
> Here again, we need to be mindful of security. Miscreants can
> easily forge an x-forwarded-for: line in an HTTP request and in the
> default configuration Fossil allows requests requests from 127.0.0.1
> to bypass the login mechanism. (That login bypass for 127.0.0.1
> makes the "fossil ui" command much more convenient.) So at the very
> least, we would want to check the value supplied by x-forwarded-for
> and make sure it is not 127.0.0.1. In addition, we might want to
> disregard x-forwarded-for completely unless the real REMOTE_ADDR is
> 127.0.0.1, or perhaps some other well-known address specified on the
> "fossil server" or "fossil http" command-line. In other words,
> disregard x-forwarded-for unless the request is coming from a known
> trusted host.
Also, X-Forwarded-For: can have more than one IP address if it passes
through more than one proxy (just like X-Forwarded-Host: can have more
than one host name). See http://en.wikipedia.org/wiki/X-Forwarded-For
for good examples. The above code probably won't have the desired
effect if more than one proxy is involved.
For the security aspect, another flag could be added similarly to the
remote_user_ok flag so that X-Forwarded-For is only examined if the
new flag is set. However when that flag is set to allow use of X-
Forwarded-For, the only way to prevent address forging would be to
trust the first proxy visible to the client to drop any incoming X-
Forwarded-For headers before adding its own and that's likely prone to
compromise and further presumes all proxies between the client and the
server are fully trusted.
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
