diff options
author | Matthew Holt <[email protected]> | 2024-07-05 09:46:04 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2024-07-05 09:46:04 -0600 |
commit | be7777fd80cf47d0bc2af446e5fb882e94154b1c (patch) | |
tree | a66bf018aad267091be30a576a387b9af40cedab | |
parent | fbbf52dd0fbb970f0e22686dcd6a0b209ea19cdf (diff) | |
download | caddy-early-data.tar.gz caddy-early-data.zip |
Don't return value for {remote} placeholder in early dataearly-data
-rw-r--r-- | modules/caddyhttp/replacer.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go index 1cf3ec474..2c0f32357 100644 --- a/modules/caddyhttp/replacer.go +++ b/modules/caddyhttp/replacer.go @@ -142,8 +142,16 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo } return port, true case "http.request.remote": + if req.TLS != nil && !req.TLS.HandshakeComplete { + // without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed + return nil, true + } return req.RemoteAddr, true case "http.request.remote.host": + if req.TLS != nil && !req.TLS.HandshakeComplete { + // without a complete handshake (QUIC "early data") we can't trust the remote IP address to not be spoofed + return nil, true + } host, _, err := net.SplitHostPort(req.RemoteAddr) if err != nil { // req.RemoteAddr is host:port for tcp and udp sockets and /unix/socket.path |