28125 – mod_rewrite causes privacy leak in http proxy

Bug 28125 - mod_rewrite causes privacy leak in http proxy

Summary: mod_rewrite causes privacy leak in http proxy

Status:	CLOSED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_rewrite (show other bugs)
Version:	2.0.49
Hardware:	All All

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2004-04-01 12:23 UTC by ast
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
prevent mod_rewrite caused privacy leak in http proxy (864 bytes, patch) 2004-04-01 12:24 UTC, ast	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ast 2004-04-01 12:23:58 UTC

If rewrite rules are used within a <Proxy *></Proxy> block mod_rewrite
unconditionally sets r->proxyreq = PROXYREQ_REVERSE which causes
modules/proxy/proxy_http.c to add the following headers to all regular,
i.e. forward proxy requests:

X-Forwarded-For: <local-client-ip>
X-Forwarded-Host: <local-client-hostname>
X-Forwarded-Server: <local-proxy-hostname>

To prevent this privacy leak mod_rewrite must not change the value of
r->proxyreq if it already has the value of PROXYREQ_PROXY.

Note that this is a very valid scenario as mod_rewrite can be used
e.g. to deny certain buggy user agents access to the proxy.

Patch follows.

Comment 1 ast 2004-04-01 12:24:59 UTC

Created attachment 11080 [details]
prevent mod_rewrite caused privacy leak in http proxy

Comment 2 André Malo 2004-04-03 20:35:19 UTC

Fixed in 2.1 and proposed for backport into the 2.0 branch.

Thanks for the report and thanks for using Apache!