Details
-
Bug
-
Status: Closed (View Workflow)
-
Resolution: Invalid
-
3.0.B1
-
None
-
None
-
PHP Environment:
Database:
Description
While reading my blogroll, I came upon this piece: http://whocares.de/archive/001228.php" target="_blank
REMOTE_ADDR does not always contain the IP address of the host sending the request, but the IP address of a proxy. Usually this can be circumvented by using X_FORWARDED_FOR, which can contain more than one IP address due too proxy chains. The first IP address in X_FORWARED_FOR should be the IP address of the original sender, so it is one we should use.
Using a regexp we could identify the first one AND check whether it acutally is a correct IP address: #([\d
{1,3}\.]
{1,6})# (not sure about the correctness of the syntax, but you might get the point).
See also this explanation what is going on in X_FORWARED_FOR: http://www.openinfo.co.uk/apache/#descr" target="_blank
phpBB3 says (in auth.php IIRC):
// Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests
|
// it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip.
|
$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars($_SERVER['REMOTE_ADDR']) : '';
|
Cannot REMOTE_ADDR be as easily spoofed as X_FORWARED_FOR? And why du we use htmlspeiclachar()?