Uploaded image for project: 'HPCC'
  1. HPCC
  2. HPCC-16169

Enhance data available through CHttpSecureContext

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.0.x
    • Fix Version/s: 6.2.0, 6.4.0
    • Component/s: ESP
    • Labels:
      None

      Description

      Extend HttpPropertyType enumeration to support two additional value types with the getProp method:
      1. A named HTTP header
      2. An unnamed socket endpoint address

      Some users of the secure context make decisions based upon the contents of the "x-forwarded-for" header and the socket address. The secure user peer, which is currently available in security manager plugins, is derived from these values but is insufficient.

      A security manager which restricts access based on the originating IP address may choose to bypass this restriction for requests originating on the local host. A derived peer that is a local host address is not proof that the request originated locally - the local host address could be a result of a spoofed header. The socket address alone is also not proof, as the request could be forwarded from a proxy running on the local host. A socket endpoint that is a local host combined with the absence of a forwarding header provides greater confidence of local origination.

        Attachments

          Activity

            People

            • Assignee:
              rpastrana Rodrigo Pastrana
              Reporter:
              klemti01 Tim Klemm
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: