Am 07.11.2014 um 12:51 schrieb Cor Bosman: >>> On 07 Nov 2014, at 12:44, Reindl Harald <[email protected]> wrote: >>>> I dont know what roundcube itself does with that info, but I dont think it >>>> does anything 'dangerous' with it >>> >>> *but* dovecot may do depending on the configuration because forwarding that >>> information has the simple reason that otherwise you can't enforce ip based >>> access lists for webmail users >>> >>> finally that means: don't forward untrustable informations to dovecot >>> >>> doing so breaks until that happens sane and secure configurations and >>> secure in that context means nobody but the server admin knows the big >>> picture of proxies, NAT and access lists and hence is responsible to deal >>> with that - that's why mod_remoteip exists >> >> Dovecot doesnt. All dovecot does with that information is log the >> x-forwarded-ip > > and than on the server runs "fail2ban" enforcing blocking based on that log - > congratulations
That still doesnt compromise your security, but I see your point. A DOS possibility, even a remote possibiity, is annoying. I'll revert my plugin back to $_SERVER, and i'll leave it up to rc devs what to do with the rcube_utils function, Cor _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
