Previously we accepted proxy protocol requests at any point from the TCP
stream. This creates a vulnerability where the client can insert a proxy
ptotocol packet at any point and change its address to circumvent any IP
based export access rules.
With this fix we only allow a single proxy protocol request. When
working with a proxy (like HAProxy) we know it will send the proxy
protocol request and it will be the first data that we read. Any
additional requests by the user will be ignored.
Previously we accepted proxy protocol requests at any point from the TCP stream. This creates a vulnerability where the client can insert a proxy ptotocol packet at any point and change its address to circumvent any IP based export access rules.
With this fix we only allow a single proxy protocol request. When working with a proxy (like HAProxy) we know it will send the proxy protocol request and it will be the first data that we read. Any additional requests by the user will be ignored.