You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We encountered issues with oauth after upgrading to 2024-02-14a. It turns out that the redirect_uri sent back to the auth-provider now returns http:// instead of https://.
After some digging I found #4104 that changes the behavior of is_ssl() which seem to be the culprit of this issue.
We run Dokuwiki fronted with nginx that in turn is fronted by haproxy. Nginx has real_ip_header & set_real_ip_from set to correctly expose clientIP's in logs and to dokuwiki via server variable REMOTE_ADDR.
The new (IMO questionable) logic in is_ssl() breaks this setup by assuming REMOTE_ADDR always will be an RFC1918 IP if dokuwiki is behind a reverse proxy. This is wrong in multiple ways.
Firstly, REMOTE_ADDR should always be assumed to be the client IP. In the case where dokuwiki and it's webserver is behind a reverse proxy, it should be the webserver's task to set REMOTE_ADDR correctly based on the x-forwarded-for header and it's curated list of trusted proxy IPs.
Secondly, none of the HTTP_X_REAL_IP or HTTP_X_FORWARDED_* variables should never be used by dokuwiki unless explicitly enabled through a configuration option by the administrator. And it should also include a config option specifying a list of trusted proxy IPs/CIDRs. Using these variables/headers without validation may expose Dokuwiki to spoofing attacks.
The only time dokuwiki should read any arbitrary HTTP_X_FORWARDED_* variables would be as a workaround for faulty configured webservers, and with sufficient validation measures.
Version of DokuWiki
2024-02-14a
PHP Version
8.2
Webserver and version of webserver
Nginx on a Debian Bookworm, behind haproxy.
Browser and version of browser, operating system running browser
Not relevant
Additional environment information
No response
Relevant logs and/or error messages
No response
The text was updated successfully, but these errors were encountered:
The problem
We encountered issues with oauth after upgrading to 2024-02-14a. It turns out that the
redirect_urisent back to the auth-provider now returnshttp://instead ofhttps://.After some digging I found #4104 that changes the behavior of
is_ssl()which seem to be the culprit of this issue.We run Dokuwiki fronted with nginx that in turn is fronted by haproxy. Nginx has
real_ip_header&set_real_ip_fromset to correctly expose clientIP's in logs and to dokuwiki via server variableREMOTE_ADDR.<client> --https--> <haproxy> --http--> <nginx> --> <dokuwiki>With this setup the following server variables is exposed to php & dowkuwiki (where 176.10.x.y is the clients actually IP);
The new (IMO questionable) logic in
is_ssl()breaks this setup by assumingREMOTE_ADDRalways will be an RFC1918 IP if dokuwiki is behind a reverse proxy. This is wrong in multiple ways.Firstly, REMOTE_ADDR should always be assumed to be the client IP. In the case where dokuwiki and it's webserver is behind a reverse proxy, it should be the webserver's task to set REMOTE_ADDR correctly based on the x-forwarded-for header and it's curated list of trusted proxy IPs.
Secondly, none of the HTTP_X_REAL_IP or HTTP_X_FORWARDED_* variables should never be used by dokuwiki unless explicitly enabled through a configuration option by the administrator. And it should also include a config option specifying a list of trusted proxy IPs/CIDRs. Using these variables/headers without validation may expose Dokuwiki to spoofing attacks.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
The only time dokuwiki should read any arbitrary HTTP_X_FORWARDED_* variables would be as a workaround for faulty configured webservers, and with sufficient validation measures.
Version of DokuWiki
2024-02-14a
PHP Version
8.2
Webserver and version of webserver
Nginx on a Debian Bookworm, behind haproxy.
Browser and version of browser, operating system running browser
Not relevant
Additional environment information
No response
Relevant logs and/or error messages
No response
The text was updated successfully, but these errors were encountered: