Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'

This commit is contained in:
Robin McCorkell 2015-07-25 18:10:21 +01:00 committed by Thomas Müller
parent 9650f3ecbe
commit 8944af57cb
2 changed files with 11 additions and 2 deletions

View File

@ -1017,7 +1017,13 @@ $CONFIG = array(
/**
* Headers that should be trusted as client IP address in combination with
* `trusted_proxies`
* `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
* 'HTTP_X_FORWARDED_FOR' here.
*
* If set incorrectly, a client can spoof their IP address as visible to
* ownCloud, bypassing access controls and making logs useless!
*
* Defaults to 'HTTP_X_FORWARED_FOR' if unset
*/
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),

View File

@ -452,7 +452,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', []);
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
'HTTP_X_FORWARDED_FOR'
// only have one default, so we cannot ship an insecure product out of the box
]);
foreach($forwardedForHeaders as $header) {
if(isset($this->server[$header])) {