Don't trust CLIENT_IP

The client_ip header can easily be forged. In 'safe' modes we should
only trust the remote_addr which comes from the sapi. Remove support for
http_clientaddress as I can't seem to find where this ever came from in
PHP on the http specs.
This commit is contained in:
mark_story 2016-03-10 22:02:34 -05:00
parent 18b0334890
commit 48af49ddde
2 changed files with 10 additions and 20 deletions

View file

@ -417,20 +417,10 @@ class CakeRequest implements ArrayAccess {
public function clientIp($safe = true) {
if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR'));
} elseif (!$safe && env('HTTP_CLIENT_IP')) {
$ipaddr = env('HTTP_CLIENT_IP');
} else {
if (env('HTTP_CLIENT_IP')) {
$ipaddr = env('HTTP_CLIENT_IP');
} else {
$ipaddr = env('REMOTE_ADDR');
}
}
if (env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = env('HTTP_CLIENTADDRESS');
if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
$ipaddr = env('REMOTE_ADDR');
}
return trim($ipaddr);
}

View file

@ -711,18 +711,18 @@ class CakeRequestTest extends CakeTestCase {
$_SERVER['HTTP_X_FORWARDED_FOR'] = '192.168.1.5, 10.0.1.1, proxy.com';
$_SERVER['HTTP_CLIENT_IP'] = '192.168.1.2';
$_SERVER['REMOTE_ADDR'] = '192.168.1.3';
$request = new CakeRequest('some/path');
$this->assertEquals('192.168.1.5', $request->clientIp(false));
$this->assertEquals('192.168.1.2', $request->clientIp());
$this->assertEquals('192.168.1.3', $request->clientIp(), 'Use remote_addr in safe mode');
$this->assertEquals('192.168.1.5', $request->clientIp(false), 'Use x-forwarded');
unset($_SERVER['HTTP_X_FORWARDED_FOR']);
$this->assertEquals('192.168.1.2', $request->clientIp());
$this->assertEquals('192.168.1.3', $request->clientIp(), 'safe uses remote_addr');
$this->assertEquals('192.168.1.2', $request->clientIp(false), 'unsafe reads from client_ip');
unset($_SERVER['HTTP_CLIENT_IP']);
$this->assertEquals('192.168.1.3', $request->clientIp());
$_SERVER['HTTP_CLIENTADDRESS'] = '10.0.1.2, 10.0.1.1';
$this->assertEquals('10.0.1.2', $request->clientIp());
$this->assertEquals('192.168.1.3', $request->clientIp(), 'use remote_addr');
$this->assertEquals('192.168.1.3', $request->clientIp(false), 'use remote_addr');
}
/**