Overview

File CVE-2022-2255.patch of Package apache2-mod_wsgi.31569

From af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 Mon Sep 17 00:00:00 2001
From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
Date: Mon, 18 Jul 2022 12:29:38 +1000
Subject: [PATCH] Add fix to ensure that X-Client-IP header is dropped when is
 not a trusted header.

---
 src/server/mod_wsgi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/server/mod_wsgi.c b/src/server/mod_wsgi.c
index 0123472b..a4b49df1 100644
--- a/src/server/mod_wsgi.c
+++ b/src/server/mod_wsgi.c
@@ -14055,6 +14055,7 @@ static void wsgi_process_proxy_headers(request_rec *r)
             name = ((const char**)trusted_proxy_headers->elts)[i];
 
             if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
+                     !strcmp(name, "HTTP_X_CLIENT_IP") ||
                      !strcmp(name, "HTTP_X_REAL_IP")) {
 
                 match_client_header = 1;
openSUSE Build Service is sponsored by
Places