[prev in list] [next in list] [prev in thread] [next in thread]
List: fossil-users
Subject: Re: [fossil-users] scgi for Linux
From: Paul Ruizendaal <pnr () planet ! nl>
Date: 2010-06-08 6:41:57
Message-ID: 28db3d078ee05328232dc7bdbd959802 () 127 ! 0 ! 0 ! 1
[Download RAW message or body]
Have thought about it some more, but no security epiphany. My view remains
that the command should be something like this:
fossil backend http|scgi [-P port|pipe] [-F front-server-ip] [-R
repository]
Semantics could be:
- all requests coming from a client other than the front-server-ip (fip)
are denied with a "403 forbidden" response.
- all requests that specify a real client ip of 127.0.0.1 are denied with
the same response
- For http, X-Forwarded-For only looks at the first (ultimate client) ip;
if ommitted the fip is used
- For http, it sets the base url to X-Fossil-BaseUrl; if ommitted the base
url is root
- For scgi, the client ip is set to the client ip header which must be
present (at penalty of "400 bad request")
- For both, REMOTE_USER is honoured
Variations could be to add "any" to http|scgi to serve both at the same
time, or to make acceptance of remote user a feature that must be enabled
with an additonal flag. I think & hope that the above can be done in a
small patch, a I remain opposed to adding bloat to Fossil.
Will that work for security and convience? Input welcome.
Paul
On Wed, 2 Jun 2010 23:27:57 +0100, Owen Shepherd <owen.shepherd@e43.eu>
wrote:
> On 2 June 2010 18:11, Joshua Paine <joshua@letterblock.com> wrote:
>
>> Only 127.0.0.1 is privileged, right? So can we just not trust
>> X-Forwarded-For: 127.0.0.1 no matter who says it, and not worry if
>> X-Forwarded-For is abused otherwise?
>>
>
> No. Fossil keys its login cookies off the user's IP address. If the
> user can provide X-Forwarded-For, then stealing a cookie becomes a
> lot more useful.
fossil backend http|scgi [-P port|pipe] [-F front-server-ip] [-R
repository]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic