Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gateway: harden path prefix #1988

Merged
merged 1 commit into from
Apr 4, 2016
Merged

gateway: harden path prefix #1988

merged 1 commit into from
Apr 4, 2016

Commits on Apr 4, 2016

  1. gateway: enforce allowlist for path prefixes

    The gateway accepts an X-Ipfs-Path-Prefix header,
    and assumes that it is mounted in a reverse proxy
    like nginx, at this path. Links in directory listings,
    as well as trailing-slash redirects need to be rewritten
    with that prefix in mind.
    
    We don't want a potential attacker to be able to
    pass in arbitrary path prefixes, which would end up
    in redirects and directory listings, which is why
    every prefix has to be explicitly allowed in the config.
    
    Previously, we'd accept *any* X-Ipfs-Path-Prefix header.
    
    Example:
    
    We mount blog.ipfs.io (a dnslink page) at ipfs.io/blog.
    
    nginx_ipfs.conf:
    
        location /blog/ {
            rewrite "^/blog(/.*)$" $1 break;
            proxy_set_header Host blog.ipfs.io;
            proxy_set_header X-Ipfs-Gateway-Prefix /blog;
            proxy_pass http://127.0.0.1:8080;
        }
    
    .ipfs/config:
    
        "Gateway": {
            "PathPrefixes": ["/blog"],
            // ...
        },
    
    dnslink:
    
        > dig TXT _dnslink.blog.ipfs.io
        dnslink=/ipfs/QmWcBjXPAEdhXDATV4ghUpkAonNBbiyFx1VmmHcQe9HEGd
    
    License: MIT
    Signed-off-by: Lars Gierth <larsg@systemli.org>
    Lars Gierth committed Apr 4, 2016
    Configuration menu
    Copy the full SHA
    09937f8 View commit details
    Browse the repository at this point in the history