mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2025-01-19 02:56:15 +00:00
Don't trust CLIENT_IP
The client_ip header can easily be forged. In 'safe' modes we should only trust the remote_addr which comes from the sapi. Remove support for http_clientaddress as I can't seem to find where this ever came from in PHP on the http specs.
This commit is contained in:
parent
18b0334890
commit
48af49ddde
2 changed files with 10 additions and 20 deletions
|
@ -417,21 +417,11 @@ class CakeRequest implements ArrayAccess {
|
|||
public function clientIp($safe = true) {
|
||||
if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
|
||||
$ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR'));
|
||||
} else {
|
||||
if (env('HTTP_CLIENT_IP')) {
|
||||
} elseif (!$safe && env('HTTP_CLIENT_IP')) {
|
||||
$ipaddr = env('HTTP_CLIENT_IP');
|
||||
} else {
|
||||
$ipaddr = env('REMOTE_ADDR');
|
||||
}
|
||||
}
|
||||
|
||||
if (env('HTTP_CLIENTADDRESS')) {
|
||||
$tmpipaddr = env('HTTP_CLIENTADDRESS');
|
||||
|
||||
if (!empty($tmpipaddr)) {
|
||||
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
|
||||
}
|
||||
}
|
||||
return trim($ipaddr);
|
||||
}
|
||||
|
||||
|
|
|
@ -711,18 +711,18 @@ class CakeRequestTest extends CakeTestCase {
|
|||
$_SERVER['HTTP_X_FORWARDED_FOR'] = '192.168.1.5, 10.0.1.1, proxy.com';
|
||||
$_SERVER['HTTP_CLIENT_IP'] = '192.168.1.2';
|
||||
$_SERVER['REMOTE_ADDR'] = '192.168.1.3';
|
||||
|
||||
$request = new CakeRequest('some/path');
|
||||
$this->assertEquals('192.168.1.5', $request->clientIp(false));
|
||||
$this->assertEquals('192.168.1.2', $request->clientIp());
|
||||
$this->assertEquals('192.168.1.3', $request->clientIp(), 'Use remote_addr in safe mode');
|
||||
$this->assertEquals('192.168.1.5', $request->clientIp(false), 'Use x-forwarded');
|
||||
|
||||
unset($_SERVER['HTTP_X_FORWARDED_FOR']);
|
||||
$this->assertEquals('192.168.1.2', $request->clientIp());
|
||||
$this->assertEquals('192.168.1.3', $request->clientIp(), 'safe uses remote_addr');
|
||||
$this->assertEquals('192.168.1.2', $request->clientIp(false), 'unsafe reads from client_ip');
|
||||
|
||||
unset($_SERVER['HTTP_CLIENT_IP']);
|
||||
$this->assertEquals('192.168.1.3', $request->clientIp());
|
||||
|
||||
$_SERVER['HTTP_CLIENTADDRESS'] = '10.0.1.2, 10.0.1.1';
|
||||
$this->assertEquals('10.0.1.2', $request->clientIp());
|
||||
$this->assertEquals('192.168.1.3', $request->clientIp(), 'use remote_addr');
|
||||
$this->assertEquals('192.168.1.3', $request->clientIp(false), 'use remote_addr');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Loading…
Add table
Reference in a new issue