On Sat, Aug 3, 2013 at 6:16 PM, Maxim Khitrov <m...@mxcrypt.com> wrote:
> > > > Your patch would allow clients to forge their IP address by injecting an > > X-Forwarded-For header in the HTTP request. Fossil has no way of > knowing if > > the X-Forwarded-For comes from a trusted proxy or a malicious client. > > What about adding a config option to allow this header only when > fossil is running behind a reverse proxy? Alternatively, you could > accept X-Forwarded-For by default when the remote address is the local > host. That should take care of the most common setup. > I'm testing a patch to do the latter now. Actually, my patch adds a subroutine cgi_accept_forwarded_for() which can return true or false to decide if the X-FORWARDED-FOR header is accepted. We can tweak that algorithm as necessary moving forward - to look for command-line options perhaps, or perhaps to accept X-FORWARDED-FOR from machines on the same subnet - stuff like that. -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
