shaharhoch
commented
3 months ago Sorry, mistake in creating this pull request.
Closed shaharhoch closed 3 months ago
shaharhoch
commented
3 months ago Sorry, mistake in creating this pull request.
Previously we accepted proxy protocol requests at any point from the TCP stream. This creates a vulnerability where the client can insert a proxy ptotocol packet at any point and change its address to circumvent any IP based export access rules.
With this fix we only allow a single proxy protocol request. When working with a proxy (like HAProxy) we know it will send the proxy protocol request and it will be the first data that we read. Any additional requests by the user will be ignored.