Prevent an external proxy from presenting an internal proxy

in mod_remoteip.c. PR 55962. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588330 13f79535-47bb-0310-9956-ffa450edef68
author: Mike Rumph <mrumph@apache.org> 2014-04-17 18:14:49 +0000
committer: Mike Rumph <mrumph@apache.org> 2014-04-17 18:14:49 +0000
commit: af0cfb57b79aa9aa531a0ee63223fbae759f2b35 (patch)
tree: 6bb6ab8155680c965fb3dedc37e8891070630ed0 /modules/metadata
parent: cb0e0872a44310ad4a6b8565cfb551cf0fe2513b (diff)
download: httpd-af0cfb57b79aa9aa531a0ee63223fbae759f2b35.tar.gz
1 files changed, 20 insertions, 1 deletions
diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c
index 61087590ec..0a1dfac49d 100644
--- a/modules/metadata/mod_remoteip.c
+++ b/modules/metadata/mod_remoteip.c
@@ -230,11 +230,24 @@ static int remoteip_modify_request(request_rec *r)
     char *parse_remote;
     char *eos;
     unsigned char *addrbyte;
+
+    /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+       or RemoteIPTrustedProxyList directive is configured,
+       all proxies will be considered as external trusted proxies.
+     */
     void *internal = NULL;
 
     if (!config->header_name) {
         return DECLINED;
     }
+ 
+    if (config->proxymatch_ip) {
+        /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
+           or RemoteIPTrustedProxyList directive is configured.
+           In this case, default to internal proxy.
+         */
+        internal = (void *) 1;
+    }
 
     remote = (char *) apr_table_get(r->headers_in, config->header_name);
     if (!remote) {
@@ -254,7 +267,13 @@ static int remoteip_modify_request(request_rec *r)
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
                 if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
-                    internal = match[i].internal;
+                    if (internal) {
+                        /* Allow an internal proxy to present an external proxy,
+                           but do not allow an external proxy to present an internal proxy.
+                           In this case, the presented internal proxy will be considered external.
+                         */
+                        internal = match[i].internal;
+                    }
                     break;
                 }
             }
author	Mike Rumph <mrumph@apache.org>	2014-04-17 18:14:49 +0000
committer	Mike Rumph <mrumph@apache.org>	2014-04-17 18:14:49 +0000
commit	af0cfb57b79aa9aa531a0ee63223fbae759f2b35 (patch)
tree	6bb6ab8155680c965fb3dedc37e8891070630ed0 /modules/metadata
parent	cb0e0872a44310ad4a6b8565cfb551cf0fe2513b (diff)
download	httpd-af0cfb57b79aa9aa531a0ee63223fbae759f2b35.tar.gz