diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h index 55a7a43..94a8700 100644 --- a/src/ClientRequestContext.h +++ b/src/ClientRequestContext.h @@ -80,6 +80,10 @@ public: #endif ErrorState *error; ///< saved error page for centralized/delayed processing bool readNextRequest; ///< whether Squid should read after error handling + +#if FOLLOW_X_FORWARDED_FOR + size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far +#endif }; #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ diff --git a/src/client_side_request.cc b/src/client_side_request.cc index f44849e..c7c09d4 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -80,6 +80,11 @@ static const char *const crlf = "\r\n"; #if FOLLOW_X_FORWARDED_FOR + +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 +#endif + static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data); #endif /* FOLLOW_X_FORWARDED_FOR */ @@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data) /* override the default src_addr tested if we have to go deeper than one level into XFF */ Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; } - calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); - return; + if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { + calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); + return; + } + const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; + debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" << + Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber << + Debug::Extra << "last/accepted address: " << request->indirect_client_addr << + Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator); + // fall through to resume clientAccessCheck() processing } }