[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fossil-users
Subject:    Re: [fossil-users] scgi for Linux
From:       Paul Ruizendaal <pnr () planet ! nl>
Date:       2010-06-08 6:41:57
Message-ID: 28db3d078ee05328232dc7bdbd959802 () 127 ! 0 ! 0 ! 1
[Download RAW message or body]

Have thought about it some more, but no security epiphany. My view remains
that the command should be something like this:

fossil backend http|scgi [-P port|pipe] [-F front-server-ip] [-R
repository]

Semantics could be:
- all requests coming from a client other than the front-server-ip (fip)
are denied with a "403 forbidden" response.
- all requests that specify a real client ip of 127.0.0.1 are denied with
the same response
- For http, X-Forwarded-For only looks at the first (ultimate client) ip;
if ommitted the fip is used
- For http, it sets the base url to X-Fossil-BaseUrl; if ommitted the base
url is root
- For scgi, the client ip is set to the client ip header which must be
present (at penalty of "400 bad request")
- For both, REMOTE_USER is honoured

Variations could be to add "any" to http|scgi to serve both at the same
time, or to make acceptance of remote user a feature that must be enabled
with an additonal flag. I think & hope that the above can be done in a
small patch, a I remain opposed to adding bloat to Fossil.

Will that work for security and convience? Input welcome.

Paul

On Wed, 2 Jun 2010 23:27:57 +0100, Owen Shepherd <owen.shepherd@e43.eu>
wrote:
> On 2 June 2010 18:11, Joshua Paine <joshua@letterblock.com> wrote:
> 
>> Only 127.0.0.1 is privileged, right? So can we just not trust
>> X-Forwarded-For: 127.0.0.1 no matter who says it, and not worry if
>> X-Forwarded-For is abused otherwise?
>>
> 
> No.  Fossil keys its login cookies off the user's IP address. If the
> user can provide X-Forwarded-For, then stealing a cookie becomes a
> lot more useful.

fossil backend http|scgi [-P port|pipe] [-F front-server-ip] [-R
repository]


[prev in list] [next in list] [prev in thread] [next in thread]