ZF-12153: Zend_Controller_Request_Http::getClientIp(), dangerous default

Description

By default Zend_Controller_Request_Http::getClientIp() checks for X-Forwarded-For that leads to easy IP spoofing. This is a very dangerous default since method can be used for IP-based authorization:


if(in_array(getClientIp(), $allowedAddresses))
{
  echo 'I am admin! Yay!';
}

If you're not sure if it's good to break backwards compatibility in order to prevent it and if it's better just to mention it somewhere in the documentation, check these:

https://github.com/blog/… https://github.com/blog/…

Comments

My opinion is, that it would be enough to mention in the doc's that default call to getClientIp() should be used only in secured manner, for ex. logging purposes, etc... and any usage for getting authoritativ privileges should be used with caution and eventually setting $checkProxy = false