Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API IP Whitelist check does not consider XFF #1559

Closed
lochiiconnectivity opened this issue Oct 25, 2016 · 0 comments
Closed

API IP Whitelist check does not consider XFF #1559

lochiiconnectivity opened this issue Oct 25, 2016 · 0 comments

Comments

@lochiiconnectivity
Copy link

Steps to reproduce

  1. Deploy TeamPass in environment behind reverse proxy (i.e Docker/Nginx).
  2. Set up API whitelist against a real , external source address.
  3. Watch API fail with rest_error("IPWHITELIST") because only REMOTE_ADDR is checked.

Expected behaviour

X-Forwarded-For should also be checked, you should safely assume any webserver or reverse proxy this application is deployed behind properly sanitises this header.

Actual behaviour

X-Forwarded-For is not checked, resulting in the user being denied access (as the proxy is seen as REMOTE_ADDR)

I will supply a PR to fix.
lochiiconnectivity added a commit to lochiiconnectivity/TeamPass that referenced this issue Oct 25, 2016
@lochiiconnectivity
Check XFF in addition to REMOTE_ADDR. Do not disclose IP in error mes…
5604d88 
…sage

if not in whitelist.

Fixes nilsteampassnet#1559.
@lochiiconnectivity lochiiconnectivity mentioned this issue Oct 25, 2016
Closed
nilsteampassnet added a commit that referenced this issue Nov 19, 2016
@nilsteampassnet
2.1.27
14e0c10 
- Implemented new session encryption library (getting rid of mcrypt extension)
- Language selection is now in User Profile (Default language is used on authentication page)
- Updated AES library
Merge of #1532, #1553, #1556, #1559
@lochiiconnectivity lochiiconnectivity mentioned this issue Apr 28, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check XFF in addition to REMOTE_ADDR (Fix #1559). lochiiconnectivity/TeamPass
2 participants
@nilsteampassnet @lochiiconnectivity