[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

Martin Kutschker martin.kutschker-n0spam at no5pam-blackbox.net
Wed Feb 20 10:14:21 CET 2008


Dmitry Dulepov [typo3] schrieb:
> Hi!
> 
> Martin Kutschker wrote:
>> How could that be? Unless the client is spoofing his IP address any 
>> local IP address comes from one of you interal addresses of your own 
>> network. Local addresses are never sent accross the Internet.
> 
> They are sent in HTTP_X_FORWARDED_FOR very often. Theoretically you can 
> record the address and contact proxy admin if user misbehaves. He will 
> be able to find user through internal IP. But if TYPO3 returns 
> 192.168.0.22 as REMOTE_ADDR, you would not be able to complain because 
> there is no information about proxy. It makes sense to return only valid 
> global addresses in REMOTE_ADDR.

But this cannot happen. HTTP_X_FORWARDED_FOR is only accessed if 
REMOTE_ADDRESS matches an IP that *you* have configured. This isn't 
about some fancy proxies that might come into play somewhere, but about 
your own or your ISP's proxy.

Masi


More information about the TYPO3-team-core mailing list