Bug 28125

Summary: mod_rewrite causes privacy leak in http proxy
Product: Apache httpd-2 Reporter: ast
Component: mod_rewriteAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: major Keywords: PatchAvailable
Priority: P3    
Version: 2.0.49   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: prevent mod_rewrite caused privacy leak in http proxy

Description ast 2004-04-01 12:23:58 UTC 
If rewrite rules are used within a <Proxy *></Proxy> block mod_rewrite
unconditionally sets r->proxyreq = PROXYREQ_REVERSE which causes
modules/proxy/proxy_http.c to add the following headers to all regular,
i.e. forward proxy requests:

X-Forwarded-For: <local-client-ip>
X-Forwarded-Host: <local-client-hostname>
X-Forwarded-Server: <local-proxy-hostname>

To prevent this privacy leak mod_rewrite must not change the value of
r->proxyreq if it already has the value of PROXYREQ_PROXY.

Note that this is a very valid scenario as mod_rewrite can be used
e.g. to deny certain buggy user agents access to the proxy.

Patch follows.
Comment 1 ast 2004-04-01 12:24:59 UTC 
Created attachment 11080 [details]
prevent mod_rewrite caused privacy leak in http proxy
Comment 2 André Malo 2004-04-03 20:35:19 UTC 
Fixed in 2.1 and proposed for backport into the 2.0 branch.

Thanks for the report and thanks for using Apache!