[Tickets #6133] Re: don't blindly trust x-forwarded-for
bugs at horde.org
bugs at horde.org
Tue Jan 22 18:29:00 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=6133
-----------------------------------------------------------------------
Ticket | 6133
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | don't blindly trust x-forwarded-for
Queue | Horde Framework Packages
Version | FRAMEWORK_3
Type | Bug
-State | Unconfirmed
+State | Feedback
Priority | 1. Low
Milestone |
Patch |
Owners |
-----------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2008-01-22 13:29) wrote:
I've removed the usage of X-forwarded-for when checking the safe_ips list.
The two other places we use it that aren't simply in log messages are in
Auth.php (last login info) and MIME_Headers (the received: header).
I'm guessing that the received header is the one you care about and I'm
inclined to agree; throwing out the proxy address there is dubious because
it's likely to be useful tracking information. What do you think about
including both (the REMOTE_ADDR value, and a parenthetical that it was
forwarded for the value of HTTP_X_FORWARDED_FOR)?
More information about the bugs
mailing list