[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

Michael Stucki michael at typo3.org
Fri Feb 29 14:17:49 CET 2008


Hi Martin,

finally I could try this patch.

Martin Kutschker wrote:

>>> Problem:
>>> When requesting the clients REMOTE_ADDR, it can happen that there is a
>>> proxy in between server and client, which replaces the value with his
>>> own IP, and puts the original IP in HTTP_X_FORWARDED_FOR instead.
> 
> It's not clearly stated here and in the bug report, but generally we
> only want to handle well-know reverse proxies. Anything else would be a
> security risk.

I absolutely agree!

>> Here's a new patch. This one is more secure as it ties TYPO3 to a set of
>> know proxies. Furthermore you may define that one or more proxies use
>> SSL in connection to the Internet. And additionally it's possibly to add
>> a prefix for http and https proxies in case there is a (weird) path
>> changing proxy setup in place (seems to be the case with some mass
>> SSL-BE hosters).
> 
> The 3rd version uses now SYS[reverseProxy*] to signify more the real
> usage.
> 
> It also has now a config that defines how to deal with multiple values
> in HTTP_X_FORWARDED_FOR/HTTP_X_FORWARDED_HOST. Possible options to use
> the first, the last or none. None is the default.

Makes perfect sense. However, I (currently) have no server to test this.
Will do later. What I did check was whether it will break some existing
behaviours, and it does not! So I would say you should commit this patch.

However, the code has some issues.

Most important: Please _always_ check your patches before committing them!
Just run "svn diff" and you would see this, for example: Your patch removes
a line in config_default.php which should stay there (unless you provide a
good reason for it):
- 'SC_mod_web_perm_ajax::dispatch' => [...]

config_default.php: The description for "reverseProxySSL" refers
to "SYS[proxyIP]" intead of "SYS[reverseProxyIP]". Must be fixed.

There seems to be a mistake in the case switch for "TYPO3_SSL": The
comparison is always made against "SYS[reverseProxyIP]" disregarding of
the "SYS[reverseProxyIP]" setting. Must be fixed.

Various things:  (all marginal, can be done later)
- the cmpIP comparison against "reverseProxyIP" should only be only made if
  the value is set
- typo in config_default: "when SSL accessing the server via an SSL proxy"

Regards, michael
-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/


More information about the TYPO3-team-core mailing list