6.0.0-git
2021-01-19

[#6133] don't blindly trust x-forwarded-for
Summary don't blindly trust x-forwarded-for
Queue Horde Framework Packages
Queue Version FRAMEWORK_3
Type Bug
State Resolved
Priority 1. Low
Owners chuck (at) horde (dot) org
Requester uhlar (at) fantomas (dot) sk
Created 2008-01-22 (4746 days ago)
Due
Updated 2008-02-24 (4713 days ago)
Assigned 2008-01-22 (4746 days ago)
Resolved 2008-02-24 (4713 days ago)
Milestone
Patch No

History
2008-02-24 12:00:26 Jan Schneider Comment #6
Assigned to Chuck Hagenbuch
State ⇒ Resolved
Reply to this comment
The most important issue is fixed if I understand it correctly. If you 
create that patch, please create a new enhancement request.
2008-02-12 20:26:35 Chuck Hagenbuch Comment #5 Reply to this comment
I think I have nothing to add, but I may try to code it. Will you
accept a function that requires global setting of trusted proxies?
Not requires, but one that uses a trusted proxy setting if it's 
present. That would be great, thanks.
2008-02-12 17:27:28 uhlar (at) fantomas (dot) sk Comment #4 Reply to this comment
I think I have nothing to add, but I may try to code it. Will you 
accept a function that requires global setting of trusted proxies?
2008-01-23 11:57:42 uhlar (at) fantomas (dot) sk Comment #3 Reply to this comment
The most important part for me is that the IP in horde logs and mail 
headers should match. When our users log to horde, only conecting IP 
is logged and only forwarded IP put into headers, which makes 
searching very difficult.



Providing both proxy and forwarded_for IP's is OK, but forwarded IP is 
imho only useful if scripts will track trusted proxies as I described 
(squid's forwarded_for patch does the same). This requires list of 
trusted proxies/networks as horde/imp configuration option.



Another option is to put all IP's of X-Forwarded-For: line to mail, as 
special header (X-Forwarded-For) or list of Received: headers (this 
could be very useful for spam checkers). If not all, at least the 
trusted forwarded IP should be imho there, adding proxy is useful too.



Personally I would set up function for parsing client IP and 
x-forwarded-for to provide 1-2 (last and first trusted) IP addresses, 
which would be added to logged informations etc
2008-01-22 18:29:00 Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
I've removed the usage of X-forwarded-for when checking the safe_ips 
list. The two other places we use it that aren't simply in log 
messages are in Auth.php (last login info) and MIME_Headers (the 
received: header).



I'm guessing that the received header is the one you care about and 
I'm inclined to agree; throwing out the proxy address there is dubious 
because it's likely to be useful tracking information. What do you 
think about including both (the REMOTE_ADDR value, and a parenthetical 
that it was forwarded for the value of HTTP_X_FORWARDED_FOR)?
2008-01-22 15:52:25 uhlar (at) fantomas (dot) sk Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ don't blindly trust x-forwarded-for
Queue ⇒ Horde Framework Packages
Reply to this comment
there are some places in horde where X-Forwarded-For header is used 
for specifying IP the connection came from. The X-Forwarded-For is 
provided by client that can send anything and it will be used.

This results in e.g. mail headers containing internal IP's unreachable 
from server telling nothing to the admin.



Please make usage of X-Forwarded-For optional. The best solution 
allowing to trust some (e.g. own) proxies would be to have list of 
trusted proxies and check REMOTE_ADDR and HTTP_X_FORWARDED_FOR (from 
last to first) if they match trusted proxy and use the fuirst 
untrusted IP in the list.


Saved Queries