mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 05:07:42 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_http: Make RFC 7239 Forwarded opt-in for now to be safe

Browse source 
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.

By only supporting one at a time, it can be configured to match what the
proxy uses.

Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
This commit is contained in:
Kim Alvefur 2023-06-03 21:53:20 +02:00
parent 8c92b32b7a
commit 16381e754d
2 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -42,7 +42,7 @@ TRUNK
- mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy
- Ability to use SQLite3 storage using LuaSQLite3 instead of LuaDBI
- Moved all modules into the Lua namespace `prosody.`
- Forwarded header from RFC 7239 supported
- Forwarded header from RFC 7239 supported, disabled by default
## Removed