Commits on Apr 4, 2016

1. gateway: enforce allowlist for path prefixes …

   The gateway accepts an X-Ipfs-Path-Prefix header,
   and assumes that it is mounted in a reverse proxy
   like nginx, at this path. Links in directory listings,
   as well as trailing-slash redirects need to be rewritten
   with that prefix in mind.
   
   We don't want a potential attacker to be able to
   pass in arbitrary path prefixes, which would end up
   in redirects and directory listings, which is why
   every prefix has to be explicitly allowed in the config.
   
   Previously, we'd accept *any* X-Ipfs-Path-Prefix header.
   
   Example:
   
   We mount blog.ipfs.io (a dnslink page) at ipfs.io/blog.
   
   nginx_ipfs.conf:
   
       location /blog/ {
           rewrite "^/blog(/.*)$" $1 break;
           proxy_set_header Host blog.ipfs.io;
           proxy_set_header X-Ipfs-Gateway-Prefix /blog;
           proxy_pass http://127.0.0.1:8080;
       }
   
   .ipfs/config:
   
       "Gateway": {
           "PathPrefixes": ["/blog"],
           // ...
       },
   
   dnslink:
   
       > dig TXT _dnslink.blog.ipfs.io
       dnslink=/ipfs/QmWcBjXPAEdhXDATV4ghUpkAonNBbiyFx1VmmHcQe9HEGd
   
   License: MIT
   Signed-off-by: Lars Gierth <[email protected]>

   Lars Gierth committed Apr 4, 2016
   Configuration menu

   • View commit details
   • Copy full SHA for 09937f8
   • Browse repository at this point

   Copy the full SHA

   09937f8 View commit details

   Browse the repository at this point in the history