GitHub
/
ergo
mirror of https://github.com/ergochat/ergo.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix untrusted PROXY lines being accepted 

As of 3dc5c8de78, the PROXY-before-TLS proxy line
and any proxy information carried in X-Forwarded-For
do not count as the "first line", so an additional
client-supplied PROXY line would have been accepted.
This commit is contained in:
Shivaram Lingamneni 2020-05-10 19:12:18 -04:00
parent d562c6d25a
commit 89984f9c36
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
irc/gateways.go
View File

@ -57,8 +57,9 @@ func (wc *webircConfig) Populate() (err error) {
// ApplyProxiedIP applies the given IP to the client. // ApplyProxiedIP applies the given IP to the client.
func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) { func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) {
// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself // PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
// is whitelisted: // is whitelisted. Furthermore, don't accept PROXY or WEBIRC if we already accepted
if session.isTor { // a proxied IP from any source (PROXY, WEBIRC, or X-Forwarded-For):
if session.isTor || session.proxiedIP != nil {
return errBadProxyLine, "" return errBadProxyLine, ""
} }