Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'
This commit is contained in:
parent
9650f3ecbe
commit
8944af57cb
|
@ -1017,7 +1017,13 @@ $CONFIG = array(
|
|||
|
||||
/**
|
||||
* Headers that should be trusted as client IP address in combination with
|
||||
* `trusted_proxies`
|
||||
* `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
|
||||
* 'HTTP_X_FORWARDED_FOR' here.
|
||||
*
|
||||
* If set incorrectly, a client can spoof their IP address as visible to
|
||||
* ownCloud, bypassing access controls and making logs useless!
|
||||
*
|
||||
* Defaults to 'HTTP_X_FORWARED_FOR' if unset
|
||||
*/
|
||||
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
|
||||
|
||||
|
|
|
@ -452,7 +452,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
|
|||
$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
|
||||
|
||||
if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
|
||||
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', []);
|
||||
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
|
||||
'HTTP_X_FORWARDED_FOR'
|
||||
// only have one default, so we cannot ship an insecure product out of the box
|
||||
]);
|
||||
|
||||
foreach($forwardedForHeaders as $header) {
|
||||
if(isset($this->server[$header])) {
|
||||
|
|
Loading…
Reference in New Issue