From cf92e759cfe20afd2311f719c04bdd8d7ceb4623 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 21 Sep 2008 13:36:52 +0000 Subject: [PATCH] If change-x-forwarded-for{add} is used and the client sends multiple X-Forwarded-For headers, append the client's IP address to each one of them. "Traditionally" we would lose all but the last one. --- loaders.c | 8 ++++++-- parsers.c | 49 ++++++++++++++++++++++++++----------------------- project.h | 19 +++++++++++-------- 3 files changed, 43 insertions(+), 33 deletions(-) diff --git a/loaders.c b/loaders.c index f2d8d5f8..10d08b81 100644 --- a/loaders.c +++ b/loaders.c @@ -1,4 +1,4 @@ -const char loaders_rcs[] = "$Id: loaders.c,v 1.67 2008/03/30 14:52:08 fabiankeil Exp $"; +const char loaders_rcs[] = "$Id: loaders.c,v 1.68 2008/09/19 15:26:28 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/loaders.c,v $ @@ -35,6 +35,11 @@ const char loaders_rcs[] = "$Id: loaders.c,v 1.67 2008/03/30 14:52:08 fabiankeil * * Revisions : * $Log: loaders.c,v $ + * Revision 1.68 2008/09/19 15:26:28 fabiankeil + * Add change-x-forwarded-for{} action to block or add + * X-Forwarded-For headers. Mostly based on code removed + * before 3.0.7. + * * Revision 1.67 2008/03/30 14:52:08 fabiankeil * Rename load_actions_file() and load_re_filterfile() * as they load multiple files "now". @@ -511,7 +516,6 @@ void sweep(void) freez(csp->ip_addr_str); freez(csp->iob->buf); - freez(csp->x_forwarded_for); freez(csp->error_message); if (csp->action->flags & ACTION_FORWARD_OVERRIDE && diff --git a/parsers.c b/parsers.c index 921d6184..94fc9ce7 100644 --- a/parsers.c +++ b/parsers.c @@ -1,4 +1,4 @@ -const char parsers_rcs[] = "$Id: parsers.c,v 1.141 2008/09/19 15:26:28 fabiankeil Exp $"; +const char parsers_rcs[] = "$Id: parsers.c,v 1.142 2008/09/20 10:04:33 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/parsers.c,v $ @@ -44,6 +44,10 @@ const char parsers_rcs[] = "$Id: parsers.c,v 1.141 2008/09/19 15:26:28 fabiankei * * Revisions : * $Log: parsers.c,v $ + * Revision 1.142 2008/09/20 10:04:33 fabiankeil + * Remove hide-forwarded-for-headers action which has + * been obsoleted by change-x-forwarded-for{block}. + * * Revision 1.141 2008/09/19 15:26:28 fabiankeil * Add change-x-forwarded-for{} action to block or add * X-Forwarded-For headers. Mostly based on code removed @@ -3380,24 +3384,25 @@ jb_err client_x_forwarded(struct client_state *csp, char **header) { if (0 != (csp->action->flags & ACTION_CHANGE_X_FORWARDED_FOR)) { - const char *param = csp->action->string[ACTION_STRING_CHANGE_X_FORWARDED_FOR]; + const char *parameter = csp->action->string[ACTION_STRING_CHANGE_X_FORWARDED_FOR]; - if (0 == strcmpic(param, "block")) + if (0 == strcmpic(parameter, "block")) { freez(*header); log_error(LOG_LEVEL_HEADER, "crunched x-forwarded-for!"); } - else if (0 == strcmpic(param, "add")) + else if (0 == strcmpic(parameter, "add")) { - /* Save it so we can re-add it later */ - freez(csp->x_forwarded_for); - csp->x_forwarded_for = *header; + string_append(header, ", "); + string_append(header, csp->ip_addr_str); - /* - * Always set *header = NULL, since this information - * will be sent at the end of the header. - */ - *header = NULL; + if (*header == NULL) + { + return JB_ERR_MEMORY; + } + log_error(LOG_LEVEL_HEADER, + "Appended client IP address to %s", *header); + csp->flags |= CSP_FLAG_X_FORWARDED_FOR_APPENDED; } } @@ -3900,21 +3905,19 @@ static jb_err client_x_forwarded_for_adder(struct client_state *csp) char *header = NULL; jb_err err; - if (!((csp->action->flags & ACTION_CHANGE_X_FORWARDED_FOR) && - (0 == strcmpic(csp->action->string[ACTION_STRING_CHANGE_X_FORWARDED_FOR], "add")))) + if (!((csp->action->flags & ACTION_CHANGE_X_FORWARDED_FOR) + && (0 == strcmpic(csp->action->string[ACTION_STRING_CHANGE_X_FORWARDED_FOR], "add"))) + || (csp->flags & CSP_FLAG_X_FORWARDED_FOR_APPENDED)) { + /* + * If we aren't adding X-Forwarded-For headers, + * or we already appended an existing X-Forwarded-For + * header, there's nothing left to do here. + */ return JB_ERR_OK; } - if (csp->x_forwarded_for) - { - header = strdup(csp->x_forwarded_for); - string_append(&header, ", "); - } - else - { - header = strdup("X-Forwarded-For: "); - } + header = strdup("X-Forwarded-For: "); string_append(&header, csp->ip_addr_str); if (header == NULL) diff --git a/project.h b/project.h index 026fc0f0..d3c33cfa 100644 --- a/project.h +++ b/project.h @@ -1,7 +1,7 @@ #ifndef PROJECT_H_INCLUDED #define PROJECT_H_INCLUDED /** Version string. */ -#define PROJECT_H_VERSION "$Id: project.h,v 1.118 2008/09/19 15:26:29 fabiankeil Exp $" +#define PROJECT_H_VERSION "$Id: project.h,v 1.119 2008/09/20 10:04:33 fabiankeil Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/project.h,v $ @@ -37,6 +37,10 @@ * * Revisions : * $Log: project.h,v $ + * Revision 1.119 2008/09/20 10:04:33 fabiankeil + * Remove hide-forwarded-for-headers action which has + * been obsoleted by change-x-forwarded-for{block}. + * * Revision 1.118 2008/09/19 15:26:29 fabiankeil * Add change-x-forwarded-for{} action to block or add * X-Forwarded-For headers. Mostly based on code removed @@ -1313,6 +1317,12 @@ struct url_actions */ #define CSP_FLAG_NO_FILTERING 0x00000400UL +/** + * Flag for csp->flags: Set the client IP has appended to + * an already existing X-Forwarded-For header in which case + * no new header has to be generated. + */ +#define CSP_FLAG_X_FORWARDED_FOR_APPENDED 0x00000800UL /* * Flags for use in return codes of child processes @@ -1385,13 +1395,6 @@ struct client_state /** MIME-Type key, see CT_* above */ unsigned int content_type; - /** The "X-Forwarded-For:" header sent by the client */ - /* - * XXX: this is a hack that causes problems if - * there's more than one X-Forwarded-For header. - */ - char *x_forwarded_for; - /** Actions files associated with this client */ struct file_list *actions_list[MAX_AF_FILES]; -- 2.39.2