-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrille,
On 10/9/2009 9:16 AM, Cyrille Le Clerc wrote: > An idea to mitigate this risk is to ask the network team to remove > some http headers at the entry of the platform (x-forwarded-for, > x-forwarded-proto, x-forwarded-... ) This makes a lot of sense, except that there might be some legitimate proxies in the path that shouldn't be removed. >> Uh.... huh? That seems counter-intuitive to trust the first untrusted IP >> address you find. I'll read about mod_remoteip and see what it's all about. > > My mistake, I forgot to mention that it was evaluating from the right > to the left. Aah, that makes more sense. Thanks for the clarification. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrPW28ACgkQ9CaO5/Lv0PA3ogCePMOOeDkuEwYbYdYAVhmKBDG5 t9YAnRVRhuqun7gd8mujA+xV/pFzNc2t =//Jq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
