6.0.0-beta1
7/7/25

[#6133] don't blindly trust x-forwarded-for
Summary don't blindly trust x-forwarded-for
Queue Horde Framework Packages
Queue Version FRAMEWORK_3
Type Bug
State Resolved
Priority 1. Low
Owners chuck (at) horde (dot) org
Requester uhlar (at) fantomas (dot) sk
Created 01/22/2008 (6376 days ago)
Due
Updated 02/24/2008 (6343 days ago)
Assigned 01/22/2008 (6376 days ago)
Resolved 02/24/2008 (6343 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
02/24/2008 12:00:26 PM Jan Schneider Comment #6
Assigned to Chuck Hagenbuch
State ⇒ Resolved
Reply to this comment
The most important issue is fixed if I understand it correctly. If you 
create that patch, please create a new enhancement request.
02/12/2008 08:26:35 PM Chuck Hagenbuch Comment #5 Reply to this comment
I think I have nothing to add, but I may try to code it. Will you
accept a function that requires global setting of trusted proxies?
Not requires, but one that uses a trusted proxy setting if it's 
present. That would be great, thanks.
02/12/2008 05:27:28 PM uhlar (at) fantomas (dot) sk Comment #4 Reply to this comment
I think I have nothing to add, but I may try to code it. Will you 
accept a function that requires global setting of trusted proxies?
01/23/2008 11:57:42 AM uhlar (at) fantomas (dot) sk Comment #3 Reply to this comment
The most important part for me is that the IP in horde logs and mail 
headers should match. When our users log to horde, only conecting IP 
is logged and only forwarded IP put into headers, which makes 
searching very difficult.



Providing both proxy and forwarded_for IP's is OK, but forwarded IP is 
imho only useful if scripts will track trusted proxies as I described 
(squid's forwarded_for patch does the same). This requires list of 
trusted proxies/networks as horde/imp configuration option.



Another option is to put all IP's of X-Forwarded-For: line to mail, as 
special header (X-Forwarded-For) or list of Received: headers (this 
could be very useful for spam checkers). If not all, at least the 
trusted forwarded IP should be imho there, adding proxy is useful too.



Personally I would set up function for parsing client IP and 
x-forwarded-for to provide 1-2 (last and first trusted) IP addresses, 
which would be added to logged informations etc
01/22/2008 06:29:00 PM Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
I've removed the usage of X-forwarded-for when checking the safe_ips 
list. The two other places we use it that aren't simply in log 
messages are in Auth.php (last login info) and MIME_Headers (the 
received: header).



I'm guessing that the received header is the one you care about and 
I'm inclined to agree; throwing out the proxy address there is dubious 
because it's likely to be useful tracking information. What do you 
think about including both (the REMOTE_ADDR value, and a parenthetical 
that it was forwarded for the value of HTTP_X_FORWARDED_FOR)?
01/22/2008 03:52:25 PM uhlar (at) fantomas (dot) sk Comment #1
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ don't blindly trust x-forwarded-for
Queue ⇒ Horde Framework Packages
State ⇒ Unconfirmed
Reply to this comment
there are some places in horde where X-Forwarded-For header is used 
for specifying IP the connection came from. The X-Forwarded-For is 
provided by client that can send anything and it will be used.

This results in e.g. mail headers containing internal IP's unreachable 
from server telling nothing to the admin.



Please make usage of X-Forwarded-For optional. The best solution 
allowing to trust some (e.g. own) proxies would be to have list of 
trusted proxies and check REMOTE_ADDR and HTTP_X_FORWARDED_FOR (from 
last to first) if they match trusted proxy and use the fuirst 
untrusted IP in the list.


Saved Queries