[Koha-bugs] [Bug 25950] REMOTE_ADDR set to null if client_ip in X-Forwarded-For matches a koha_trusted_proxies value
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Jul 8 09:36:08 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25950
--- Comment #4 from David Cook <dcook at prosentient.com.au> ---
I probably am not doing a great job of explaining this one.
Without the patch, the "<client>" in the X-Forwarded-For will be tested against
koha_trusted_proxies, even though it's not a proxy. So if the "<client>"
matches against koha_trusted_proxies, it won't be used to set REMOTE_ADDR,
which means it'll be left as null.
With the patch, the "<client>" is extracted from the X-Forwarded-For header
data, and then the REMOTE_ADDR (the proxy that set the X-Forwarded-For) and any
"<proxy>" values from the X-Forwarded-For header are evaluated against
koha_trusted_proxies. If REMOTE_ADDR and "<proxy>" are all trusted, then the
"<client>" is used to re-write REMOTE_ADDR. If they're not trusted, the last
value not trusted will be used to re-write REMOTE_ADDR. So while you might
trust your reverse proxy at REMOTE_ADDR, you might not trust the "<proxy>"
values in X-Forwarded-For.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list