httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: mod_remoteip and mod_http2 combined
Date Sat, 01 Apr 2017 13:17:11 GMT
Agreed - as many times as I read the spec, I have no idea how I did not
see that security advisory.  It's flat-out damning to the idea of an
"optional" mode. I'll go ahead and rip out the optional processing and
will add your suggested idea of a list of subnets to disable parsing. I
hope to have a patch later this morning to share. As awful as the name
is, I'm thinking RemoteIPProxyProtocolDisableNetworks ARG1 ARG2 ARG3.

-- 
Daniel Ruggeri

On 3/29/2017 4:43 PM, William A Rowe Jr wrote:
> This is the gist of my remaining objections.
>
> It would be nice if the mod_remoteip patch to PROXY protocol followed the
> security advisories of the PROXY draft security comments, and we rip out the
> 'optional' mode. The remaining objection is around the ambiguity of 'optional'
> (which can't exist) and the objection that how PROXY works as an implicit
> trust model using mod_remoteip is laughable, since the connection cannot
> be established without some PROXY protocol line interceptor yanking the
> garbage out of otherwise well-formed HTTP/1.1 - HTTP-TLS - h2c - h2 input.
>
> There is no 'untrusted PROXY header input' because that isn't part of the
> HTTP protocol and that garbage generates a 400 without an interceptor.
> No problem declaring that if we are willing to decode it, we will accept the
> input as gospel.


Mime
View raw message