aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2024-07-05 09:46:04 -0600
committerMatthew Holt <[email protected]>2024-07-05 09:46:04 -0600
commitbe7777fd80cf47d0bc2af446e5fb882e94154b1c (patch)
treea66bf018aad267091be30a576a387b9af40cedab
parentfbbf52dd0fbb970f0e22686dcd6a0b209ea19cdf (diff)
downloadcaddy-early-data.tar.gz
caddy-early-data.zip
Don't return value for {remote} placeholder in early dataearly-data
-rw-r--r--modules/caddyhttp/replacer.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go
index 1cf3ec474..2c0f32357 100644
--- a/modules/caddyhttp/replacer.go
+++ b/modules/caddyhttp/replacer.go
@@ -142,8 +142,16 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo
}
return port, true
case "http.request.remote":
+ if req.TLS != nil && !req.TLS.HandshakeComplete {
+ // without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed
+ return nil, true
+ }
return req.RemoteAddr, true
case "http.request.remote.host":
+ if req.TLS != nil && !req.TLS.HandshakeComplete {
+ // without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed
+ return nil, true
+ }
host, _, err := net.SplitHostPort(req.RemoteAddr)
if err != nil {
// req.RemoteAddr is host:port for tcp and udp sockets and /unix/socket.path