mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-10 22:19:31 +01:00
fix untrusted PROXY lines being accepted
As of 3dc5c8de78
, the PROXY-before-TLS proxy line
and any proxy information carried in X-Forwarded-For
do not count as the "first line", so an additional
client-supplied PROXY line would have been accepted.
This commit is contained in:
parent
d562c6d25a
commit
89984f9c36
@ -57,8 +57,9 @@ func (wc *webircConfig) Populate() (err error) {
|
||||
// ApplyProxiedIP applies the given IP to the client.
|
||||
func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) {
|
||||
// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
|
||||
// is whitelisted:
|
||||
if session.isTor {
|
||||
// is whitelisted. Furthermore, don't accept PROXY or WEBIRC if we already accepted
|
||||
// a proxied IP from any source (PROXY, WEBIRC, or X-Forwarded-For):
|
||||
if session.isTor || session.proxiedIP != nil {
|
||||
return errBadProxyLine, ""
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user