mod_remoteip: Use r->useragent_addr as the root trusted address for verifying. (7aeb1100) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Commit 7aeb1100 authored Jun 30, 2015 by

Jan Kaluža

mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.

This fixes issue resulting in setting of bad useragent_ip when internal
redirection has been generated as response to the request (typically as
result of "ErrorDocument 40x").

In this case, the original request has been handled by mod_remoteip and its
useragent_ip has been changed properly, but when internal redirection
to ErrorDocument has been generated later, the mod_remoteip's handler has been
executed again with *the same* c->client_addr as in the original request. If
c->client_addr IP is trusted, this results in bad useragent_ip being set.

When using r->useragent_addr as the root trusted address instead of
c->client_addr, the internal redirection uses the first non-trusted
IP in this particular case, so it won't change the r->useragent_ip during
the internal redirection to ErrorDocument.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1688399 13f79535-47bb-0310-9956-ffa450edef68

parent 6b5b9ad6

Hide whitespace changes

Inline Side-by-side

Please register or to comment