Comment 4 for bug 1511222

I have confirmed a bug in mod_remoteip.c's remoteip_modify_request function.

This bug was reported by <email address hidden> in 2012 in this thread:<email address hidden>%3E

The bug appears to still be in httpd/trunk.

The bug here is that, even though temp_sa gets assigned to a new IP with every iteration of the while-loop, the apr_ipsubnet_test continues to check the list of proxy match_ip against the same connection IP (using c->client_addr) over and over again. Thus, if c->client_addr matches, the code always walks to the very beginning of the X-Forwarded-For header.

--- modules/metadata/mod_remoteip.c (revision 1407459)
+++ modules/metadata/mod_remoteip.c (working copy)
@@ -246,16 +246,16 @@
     temp_sa = c->client_addr;

     while (remote) {

- /* verify c->client_addr is trusted if there is a trusted proxy list
+ /* verify temp_sa is trusted if there is a trusted proxy list
         if (config->proxymatch_ip) {
             int i;
             remoteip_proxymatch_t *match;
             match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
             for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
- if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
+ if (apr_ipsubnet_test(match[i].ip, temp_sa)) {
                     internal = match[i].internal;

The fix is to replace apr_ipsubnet_test(match[i].ip, c->client_addr) with apr_ipsubnet_test(match[i].ip, temp_sa) , and to correct the mention of c->client_addr comment. Once fixed, the module works great.

To reproduce this bug, you have to setup mod_remoteip with these directives:

RemoteIPHeader X-Forwarded-For

Then, hit make two requests:

1) curl --header 'X-Forwarded-For:' http://localhost:80/
2) curl --header 'X-Forwarded-For:,' http://localhost:80/

For (1) the r->useragent_ip logged is expected to be . The code behaves correctly for this case.

For (2) the r->useragent_ip logged should be . The current code logs still. This is not the behavior as documented because is not configured to be "trusted".