[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

[Dmitry Dulepov [typo3]]

Hi!

Martin Kutschker wrote:
> Dmitry Dulepov [typo3] schrieb:
>> There is a problem with the patch. Some proxies are configured to 
>> reveal themselves but not show IP address of the user. They send 
>> HTTP_X_FORWARDED_FOR with value "unknown". So your patch will given 
>> invalid IP address.
> 
> But is reverting to REMOTE_ADDR correct? Another approach would be to 
> return 127.0.0.1 (possibly dangerous) or 0.0.0.0.

I think it is more correct then returning "unknown" or "0.0.0.0". Both these repies have nothing to do with request. REMOTE_ADDR value is the only valid information in this case.

>> Some proxies are chained and they return two or more addresses (like 
>> "192.168.0.23, 10.10.10.5") and it is impossible to determine which 
>> address really belongs to cleint. Also will not produce proper output 
>> with your patch.
> 
> I have (in an implementatoin of mine) decided to use the first value. 
> Does it make sense to make this configurable? Use first, last or none if 
>  two or more addresses were found?

I am not sure what wouuld be the best. The answer probably can be found by looking at Squid and other popular servers. They should have described in what order they return addresses.

>> Finally I think it is not worth to return 127.0.0.0/24, 172.16.0.0/16, 
>> 192.168.0/24, 10.0.0.0/8 because they are local and make no sense at all.
> 
> Why? An intranet could be completely within a local zone.

But uoi cannot block it or do anything with this information. You only know that it is local network. What can you do next with it? If REMOTE_ADDR is returned, it will be clear to whom it belongs. If you see only 172.16.0.201, what useful can you get from it? Nothing. You cannot even say if it is US or China.

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"