Login | Register
My pages Projects Community openCollabNet

Discussions > cvs > CVS update: /insurrection/src/

Project highlights: A modern, light-weight, self-contained, web-based toolset for Subversion repository browsing and administration.  A live system can be seen in action here.

insurrection
Discussion topic

Back to topic list

CVS update: /insurrection/src/

Author mksoft
Full name Michae Sinz
Date 2005-10-20 18:55:34 PDT
Message User: mksoft
Date: 2005/10/20 18:55:34

Modified:
   insurrection/src/admin.pl

Log:
 Thanks to Pete Krawczyk for finding a problem with using Insurrection
 behind an Apache proxy - there was a problem with one of my security
 bits where I was not taking into account that the X-Forwarded-Host
 header could have multiple values in it (the multiple proxies)
 
 Anyway, it turns out that we need to check that the last (most current)
 X-Forwarded-Host: header matches our Host: header in order to be extra
 careful about the security (we already do an IP address check)
 
 This fix should address that issue. (1 line change, 5 more lines of
 comments...)

File Changes:

Directory: /insurrection/src/
=============================

File [changed]: admin.pl
Url: http://insurrection.​tigris.org/source/br​owse/insurrection/sr​c/admin.pl?r1=1.44​&r2=1.45
Delta lines: +8 -3
-------------------
--- admin.pl 11 Oct 2005 18:35:28 -0000 1.44
+++ admin.pl 21 Oct 2005 01:55:31 -0000 1.45
@@ -1,5 +1,5 @@
 #
-# $Id: admin.pl,v 1.44 2005/10/11 18:35:28 mksoft Exp $
+# $Id: admin.pl,v 1.45 2005/10/21 01:55:31 mksoft Exp $
 # Copyright 2004,2005 - Michael Sinz
 #
 # This is some common code that all of the Perl code
@@ -367,7 +367,7 @@
    my $version = shift;
 
    ## Use the version of this file if there was no version passed.
- $version = '$Id: admin.pl,v 1.44 2005/10/11 18:35:28 mksoft Exp $' if (!defined $version);
+ $version = '$Id: admin.pl,v 1.45 2005/10/21 01:55:31 mksoft Exp $' if (!defined $version);
 
    ## Now, lets just use the version information a title attribute of the footer
 
@@ -453,8 +453,13 @@
       ## and now all we need to do is trust it. In all other cases
       ## Note: This security can be broken if someone else puts in
       ## a proxy on the same server and sets it up just right...
+ ## (Note, to handle HTTP_X_FORWARDED_HOST correctly we need
+ ## deal with multiple entries - we assume that the last entry
+ ## is that added by the current server - which is what we
+ ## next to check if it is "self-referential" and thus already
+ ## has cleared the main security checks)
       if ((($ENV{'REMOTE_ADDR'} eq $ENV{'SERVER_ADDR'})
- && ($ENV{'HTTP_HOST'} eq $ENV{'HTTP_X_FORWARDED_HOST'}))
+ && ($ENV{'HTTP_X_FORWARDED_HOST'} =~ m/^(.*, )*$ENV{'HTTP_HOST'}$/))
          && (length($path) > 2)
          && (defined $cgi->param('Insurrection'))
          && ($cgi->param('Insurrection') eq $type))

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

CVS update: /insurrection/src/ mksoft Michae Sinz 2005-10-20 18:55:34 PDT
Messages per page: