httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55637] New: RemoteIPInternalProxy and RemoteIPInternalProxyList directives are processed incorrectly
Date Mon, 07 Oct 2013 09:40:37 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55637

            Bug ID: 55637
           Summary: RemoteIPInternalProxy and RemoteIPInternalProxyList
                    directives are processed incorrectly
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_remoteip
          Assignee: bugs@httpd.apache.org
          Reporter: vivanv@mail.ru

RemoteIPInternalProxy RemoteIPInternalProxyList directives are processed
incorrectly
If you check remoteip_modify_request function you can see that
the "internal" flag are shifted left for "IP" in RemoteIPHeader.

To reproduce this bug, you have to setup mod_remoteip with these directives:

LogFormat "%h %a %{c}a %{X-Forwarded-For}i %l %u %t \"%m\" \"%r&\" \"%q&\" %>s
%b \"%{Referer}i\" \"%{User-Agent}i\" pid=%{pid}P tid=%{tid}P time_ms=%D"
combined

CustomLog
"|/import/home/ivan.voronin/tmp/tmp/apache_project/distrib/apache2/bin/rotatelogs
logs/access_log.%Y.%m.%d 86400" combined

<Location /test>
    Order Deny,Allow
    Deny from all
    Allow from localhost 127.0.0.1 1.1.1.1
</Location>

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
RemoteIPInternalProxy 172.20.106.70
RemoteIPTrustedProxy 87.250.250.203



GET http://srv2-x64rh6-01:1280/test/1.xml

[no cookies]

Request Headers:
Connection: keep-alive
X-Forwarded-For: 1.1.1.2, 1.1.1.1, 127.0.0.1, 87.250.250.203
Accept: */*
X-Forwarded-By: 87.250.250.203
Host: srv2-x64rh6-01:1280
User-Agent: Apache-HttpClient/4.1.2 (java 1.5)

I expected, that mod_remoteip would override client IP with 1.1.1.1 
because 87.250.250.203 is trusted and 127.0.0.1 is internal trusted.
Actually, client IP was overridden with 87.250.250.203.

access_log:
ivoronin.net.billing.ru 87.250.250.203 172.20.106.70 1.1.1.2, 1.1.1.1,
127.0.0.1 - - [07/Oct/2013:13:16:28 +0400] "GET" "GET /test/1.xml HTTP/1.1&"
"&" 403 212 "-" "Apache-HttpClient/4.1.2 (java 1.5)" pid=5425
tid=140701266933504 time_ms=2264

error_log:
[Mon Oct 07 13:16:28.739087 2013] [remoteip:debug] [pid 5425:tid
140701266933504] mod_remoteip.c(343): [client 172.20.106.70:58848] AH01569:
RemoteIP: Header X-Forwarded-For value of 127.0.0.1 appears to be a private IP
or nonsensical.  Ignored
[Mon Oct 07 13:16:28.740823 2013] [access_compat:error] [pid 5425:tid
140701266933504] [client 87.250.250.203:58848] AH01797: client denied by server
configuration:
/import/home/ivan.voronin/tmp/tmp/apache_project/distrib/apache2/htdocs/test/1.xml

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message