Skip to content

GitLab

Switch branch/tag
  1. 09 Jun, 2016 1 commit
  3. 01 Jun, 2016 2 commits
  5. 17 May, 2016 2 commits
  7. 10 May, 2016 1 commit
  9. 04 May, 2016 1 commit
  11. 29 Apr, 2016 1 commit
  13. 25 Apr, 2016 1 commit
  15. 17 Apr, 2016 2 commits
  17. 11 Apr, 2016 2 commits
  19. 08 Apr, 2016 3 commits
  21. 07 Apr, 2016 2 commits
  23. 04 Apr, 2016 1 commit
    • Lars Gierth's avatar
      gateway: enforce allowlist for path prefixes · 09937f84
      Lars Gierth authored 
      The gateway accepts an X-Ipfs-Path-Prefix header,
and assumes that it is mounted in a reverse proxy
like nginx, at this path. Links in directory listings,
as well as trailing-slash redirects need to be rewritten
with that prefix in mind.

We don't want a potential attacker to be able to
pass in arbitrary path prefixes, which would end up
in redirects and directory listings, which is why
every prefix has to be explicitly allowed in the config.

Previously, we'd accept *any* X-Ipfs-Path-Prefix header.

Example:

We mount blog.ipfs.io (a dnslink page) at ipfs.io/blog.

nginx_ipfs.conf:

    location /blog/ {
        rewrite "^/blog(/.*)$" $1 break;
        proxy_set_header Host blog.ipfs.io;
        proxy_set_header X-Ipfs-Gateway-Prefix /blog;
        proxy_pass http://127.0.0.1:8080;
    }

.ipfs/config:

    "Gateway": {
        "PathPrefixes": ["/blog"],
        // ...
    },

dnslink:

    > dig TXT _dnslink.blog.ipfs.io
    dnslink=/ipfs/QmWcBjXPAEdhXDATV4ghUpkAonNBbiyFx1VmmHcQe9HEGd

License: MIT
Signed-off-by: default avatarLars Gierth <larsg@systemli.org>
      09937f84
  25. 30 Mar, 2016 1 commit
  27. 09 Mar, 2016 1 commit
  29. 13 Feb, 2016 1 commit
  31. 31 Jan, 2016 2 commits
  33. 30 Jan, 2016 3 commits
  35. 12 Jan, 2016 6 commits
  37. 28 Dec, 2015 1 commit
  39. 08 Dec, 2015 2 commits
  41. 30 Nov, 2015 1 commit
  43. 25 Nov, 2015 2 commits
  45. 11 Nov, 2015 1 commit