[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Wed Feb 20 10:14:21 CET 2008
Dmitry Dulepov [typo3] schrieb:
> Hi!
>
> Martin Kutschker wrote:
>> How could that be? Unless the client is spoofing his IP address any
>> local IP address comes from one of you interal addresses of your own
>> network. Local addresses are never sent accross the Internet.
>
> They are sent in HTTP_X_FORWARDED_FOR very often. Theoretically you can
> record the address and contact proxy admin if user misbehaves. He will
> be able to find user through internal IP. But if TYPO3 returns
> 192.168.0.22 as REMOTE_ADDR, you would not be able to complain because
> there is no information about proxy. It makes sense to return only valid
> global addresses in REMOTE_ADDR.
But this cannot happen. HTTP_X_FORWARDED_FOR is only accessed if
REMOTE_ADDRESS matches an IP that *you* have configured. This isn't
about some fancy proxies that might come into play somewhere, but about
your own or your ISP's proxy.
Masi
More information about the TYPO3-team-core
mailing list