[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

Dmitry Dulepov [typo3] dmitry at typo3.org
Tue Feb 5 18:40:05 CET 2008


Hi!

Michael Stucki wrote:
> Problem:
> When requesting the clients REMOTE_ADDR, it can happen that there is a proxy
> in between server and client, which replaces the value with his own IP, and
> puts the original IP in HTTP_X_FORWARDED_FOR instead.
> 
> Solution:
> Add a new configuration option to send HTTP_X_FORWARDED_FOR when requesting
> the REMOTE_ADDR.

There is a problem with the patch. Some proxies are configured to reveal themselves but not show IP address of the user. They send HTTP_X_FORWARDED_FOR with value "unknown". So your patch will given invalid IP address. Some proxies are chained and they return two or more addresses (like "192.168.0.23, 10.10.10.5") and it is impossible to determine which address really belongs to cleint. Also will not produce proper output with your patch.

Correct behavior would be:
- check if HTTP_X_FORWARDED_FOR is a single valid IP address using "$ip == long2ip(ip2long($ip))"
- if not valid - revert to using REMOTE_ADDR
- if valid, use gethostbyaddr() to return proper REMOTE_ADDR

Finally I think it is not worth to return 127.0.0.0/24, 172.16.0.0/16, 192.168.0/24, 10.0.0.0/8 because they are local and make no sense at all.

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"


More information about the TYPO3-team-core mailing list