[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

Dmitry Dulepov [typo3] dmitry at typo3.org
Wed Feb 20 10:05:42 CET 2008


Hi!

Martin Kutschker wrote:
> How could that be? Unless the client is spoofing his IP address any 
> local IP address comes from one of you interal addresses of your own 
> network. Local addresses are never sent accross the Internet.

They are sent in HTTP_X_FORWARDED_FOR very often. Theoretically you can record the address and contact proxy admin if user misbehaves. He will be able to find user through internal IP. But if TYPO3 returns 192.168.0.22 as REMOTE_ADDR, you would not be able to complain because there is no information about proxy. It makes sense to return only valid global addresses in REMOTE_ADDR.

-- 
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"


More information about the TYPO3-team-core mailing list