-
Incident report
-
Resolution: Won't fix
-
Minor
-
None
-
1.8.3
This code is used in php frontend for audit purposes:
$ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];
X-Forwarded-For header could be set by many untrusted parties, including remote user agent and remote http proxies. For example, I noticed this error because my squid cache has setting "forwarded_for off" and it sends header exactly as:
X-Forwarded-For: unknown
and I see IP: unknown in all audit logs.
Right solution will be to add some configuration parameter like
$REMOTE_IP_HEADER = "X-Forwarded-For";
, commented by default.
Some administrators prefer to use custom header in complex backend-frontend setups, so it's better to have ability to configure exact header name rather than just "use it? yes/no" setting.