[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

Martin Kutschker martin.kutschker-n0spam at no5pam-blackbox.net
Tue Feb 19 21:59:30 CET 2008


Dmitry Dulepov [typo3] schrieb:
> Hi!
> 
> Michael Stucki wrote:
>> Problem:
>> When requesting the clients REMOTE_ADDR, it can happen that there is a 
>> proxy
>> in between server and client, which replaces the value with his own 
>> IP, and
>> puts the original IP in HTTP_X_FORWARDED_FOR instead.
>>
>> Solution:
>> Add a new configuration option to send HTTP_X_FORWARDED_FOR when 
>> requesting
>> the REMOTE_ADDR.
> 
> There is a problem with the patch. Some proxies are configured to reveal 
> themselves but not show IP address of the user. They send 
> HTTP_X_FORWARDED_FOR with value "unknown". So your patch will given 
> invalid IP address.

But is reverting to REMOTE_ADDR correct? Another approach would be to 
return 127.0.0.1 (possibly dangerous) or 0.0.0.0.

> Some proxies are chained and they return two or more 
> addresses (like "192.168.0.23, 10.10.10.5") and it is impossible to 
> determine which address really belongs to cleint. Also will not produce 
> proper output with your patch.

I have (in an implementatoin of mine) decided to use the first value. 
Does it make sense to make this configurable? Use first, last or none if 
  two or more addresses were found?

> Finally I think it is not worth to return 127.0.0.0/24, 172.16.0.0/16, 
> 192.168.0/24, 10.0.0.0/8 because they are local and make no sense at all.

Why? An intranet could be completely within a local zone.

Masi


More information about the TYPO3-team-core mailing list