[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

[Martin Kutschker]

Michael Stucki schrieb:
> This is a SVN patch request.
> 
> Problem:
> When requesting the clients REMOTE_ADDR, it can happen that there is a proxy
> in between server and client, which replaces the value with his own IP, and
> puts the original IP in HTTP_X_FORWARDED_FOR instead.
> 
> Solution:
> Add a new configuration option to send HTTP_X_FORWARDED_FOR when requesting
> the REMOTE_ADDR.

Here's a new patch. This one is more secure as it ties TYPO3 to a set of 
know proxies. Furthermore you may define that one or more proxies use 
SSL in connection to the Internet. And additionally it's possibly to add 
a prefix for http and https proxies in case there is a (weird) path 
changing proxy setup in place (seems to be the case with some mass 
SSL-BE hosters).

What the patch doesn't do is taking care of possible part problems. I 
guess it's possible that the proxy uses 80, but the internal server uses 
a non-standard port. This will probably lead to troubles.

> Comments:
> I am not sure how to deal with the REMOTE_HOST field. I suppose it must be
> wrong, too, but there seems no replacement for it.
> Currently, I also send HTTP_X_FORWARDED_FOR when asking for REMOTE_HOST,
> however there could be conflicts when a hostname is requested, and an IP is
> returned(?)

Use HTTP_X_FORWARDED_FOR. My patch doesn't do anything if that is not 
present, but of course we could do a DNS lookup of the IP address 
returned in HTTP_X_FORWARDED_FOR.

Please have a careful look at this patch. I have just now compiled it 
from my own stuff, ideas of Henning Pingel and Dmitry. That means that 
the patch as-is it is not tested.

Masi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug_7397_v2.diff
Type: text/x-diff
Size: 10931 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20080220/47280a85/attachment.diff