Fossil SCM

Accept the X-Forwarded-For HTTP header argument if input is coming from a socket with a remote address of "127.0.0.1".

drh 2013-08-03 22:42 UTC trunk

Commit 29b558a1c10f6c627548f30bac8becd5ebfff331

Parent cac2d69546c5dd1…

1 file changed +15

M src/cgi.c

+15

		--- src/cgi.c
		+++ src/cgi.c
		@@ -1131,10 +1131,20 @@
1131	1131	va_end(ap);
1132	1132	cgi_reply();
1133	1133	fossil_exit(1);
1134	1134	}
1135	1135	}
	1136	+
	1137	+/* z[] is the value of an X-FORWARDED-FOR: line in an HTTP header.
	1138	+** Return true if we should accept this value as a real IP address.
	1139	+** Return false to stick with the IP address previously computed and
	1140	+** loaded into g.zIpAddr.
	1141	+*/
	1142	+static int cgi_accept_forwarded_for(const char *z){
	1143	+ if( fossil_strcmp(g.zIpAddr, "127.0.0.1")==0 ) return 1;
	1144	+ return 0;
	1145	+}
1136	1146
1137	1147	/*
1138	1148	** Remove the first space-delimited token from a string and return
1139	1149	** a pointer to it. Add a NULL to the string to terminate the token.
1140	1150	** Make *zLeftOver point to the start of the next token.
		@@ -1242,10 +1252,15 @@
1242	1252	}else if( fossil_strcmp(zFieldName,"referer:")==0 ){
1243	1253	cgi_setenv("HTTP_REFERER", zVal);
1244	1254	#endif
1245	1255	}else if( fossil_strcmp(zFieldName,"user-agent:")==0 ){
1246	1256	cgi_setenv("HTTP_USER_AGENT", zVal);
	1257	+ }else if( fossil_strcmp(zFieldName,"x-forwarded-for:")==0 ){
	1258	+ if( cgi_accept_forwarded_for(zVal) ){
	1259	+ g.zIpAddr = mprintf("%s", zVal);
	1260	+ cgi_replace_parameter("REMOTE_ADDR", g.zIpAddr);
	1261	+ }
1247	1262	}
1248	1263	}
1249	1264	cgi_init();
1250	1265	cgi_trace(0);
1251	1266	}
1252	1267

	--- src/cgi.c
	+++ src/cgi.c
	@@ -1131,10 +1131,20 @@
1131	va_end(ap);
1132	cgi_reply();
1133	fossil_exit(1);
1134	}
1135	}










1136
1137	/*
1138	** Remove the first space-delimited token from a string and return
1139	** a pointer to it. Add a NULL to the string to terminate the token.
1140	** Make *zLeftOver point to the start of the next token.
	@@ -1242,10 +1252,15 @@
1242	}else if( fossil_strcmp(zFieldName,"referer:")==0 ){
1243	cgi_setenv("HTTP_REFERER", zVal);
1244	#endif
1245	}else if( fossil_strcmp(zFieldName,"user-agent:")==0 ){
1246	cgi_setenv("HTTP_USER_AGENT", zVal);





1247	}
1248	}
1249	cgi_init();
1250	cgi_trace(0);
1251	}
1252

	--- src/cgi.c
	+++ src/cgi.c
	@@ -1131,10 +1131,20 @@
1131	va_end(ap);
1132	cgi_reply();
1133	fossil_exit(1);
1134	}
1135	}
1136
1137	/* z[] is the value of an X-FORWARDED-FOR: line in an HTTP header.
1138	** Return true if we should accept this value as a real IP address.
1139	** Return false to stick with the IP address previously computed and
1140	** loaded into g.zIpAddr.
1141	*/
1142	static int cgi_accept_forwarded_for(const char *z){
1143	if( fossil_strcmp(g.zIpAddr, "127.0.0.1")==0 ) return 1;
1144	return 0;
1145	}
1146
1147	/*
1148	** Remove the first space-delimited token from a string and return
1149	** a pointer to it. Add a NULL to the string to terminate the token.
1150	** Make *zLeftOver point to the start of the next token.
	@@ -1242,10 +1252,15 @@
1252	}else if( fossil_strcmp(zFieldName,"referer:")==0 ){
1253	cgi_setenv("HTTP_REFERER", zVal);
1254	#endif
1255	}else if( fossil_strcmp(zFieldName,"user-agent:")==0 ){
1256	cgi_setenv("HTTP_USER_AGENT", zVal);
1257	}else if( fossil_strcmp(zFieldName,"x-forwarded-for:")==0 ){
1258	if( cgi_accept_forwarded_for(zVal) ){
1259	g.zIpAddr = mprintf("%s", zVal);
1260	cgi_replace_parameter("REMOTE_ADDR", g.zIpAddr);
1261	}
1262	}
1263	}
1264	cgi_init();
1265	cgi_trace(0);
1266	}
1267