[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP

[Martin Kutschker]

REMINDER #2

Martin Kutschker schrieb:
> REMINDER
> 
> Martin Kutschker schrieb:
>> Michael Stucki schrieb:
>>> This is a SVN patch request.
>>>
>>> Problem:
>>> When requesting the clients REMOTE_ADDR, it can happen that there is 
>>> a proxy
>>> in between server and client, which replaces the value with his own 
>>> IP, and
>>> puts the original IP in HTTP_X_FORWARDED_FOR instead.
>>>
>>> Solution:
>>> Add a new configuration option to send HTTP_X_FORWARDED_FOR when 
>>> requesting
>>> the REMOTE_ADDR.
>>
>> Here's a new patch. This one is more secure as it ties TYPO3 to a set 
>> of know proxies. Furthermore you may define that one or more proxies 
>> use SSL in connection to the Internet. And additionally it's possibly 
>> to add a prefix for http and https proxies in case there is a (weird) 
>> path changing proxy setup in place (seems to be the case with some 
>> mass SSL-BE hosters).
>>
>> What the patch doesn't do is taking care of possible part problems. I 
>> guess it's possible that the proxy uses 80, but the internal server 
>> uses a non-standard port. This will probably lead to troubles.
>>
>>> Comments:
>>> I am not sure how to deal with the REMOTE_HOST field. I suppose it 
>>> must be
>>> wrong, too, but there seems no replacement for it.
>>> Currently, I also send HTTP_X_FORWARDED_FOR when asking for REMOTE_HOST,
>>> however there could be conflicts when a hostname is requested, and an 
>>> IP is
>>> returned(?)
>>
>> Use HTTP_X_FORWARDED_FOR. My patch doesn't do anything if that is not 
>> present, but of course we could do a DNS lookup of the IP address 
>> returned in HTTP_X_FORWARDED_FOR.
>>
>> Please have a careful look at this patch. I have just now compiled it 
>> from my own stuff, ideas of Henning Pingel and Dmitry. That means that 
>> the patch as-is it is not tested.
>>
>> Masi
>>