Issues

ZF-7117: getClientIp() might be sensitive to spoofing

Description

See https://trac.cakephp.org/ticket/5842 for more information. Was mentioned in ZF-7092 before.

Comments

The concern was that the IP address might be faked by the client. The Cake issue suggests to add a flag for disabling the proxy check. With the proxy check disabled, only REMOTE_ADDR would be checked. Two issues arise with this solution:

1) REMOTE_ADDR is sensitive to spoofing as well 2) How do you determine whether to disable the proxy check or not?

This is not an issue at all (please close it as such). It should be something for the programmer to check. When for example you ban certain ip's just check for both the remote_addr and proxy ip, etc...

To quote a comment in the original cake issue: {quote}this is not a security exploit in Cake, but should certainly be something to be aware of when building an application.{quote}

You misunderstand the issue, Dolf. Also, please leave the decision to close an issue to the issue owner's own discretion. Yes, programmers should check for things themselves and IP detection should never be used a a sole method of securing your application. However, the getClientIp() method should be able to give a programmer a convenient way to get the IP address and to determine if they want to check for proxies. Cake's solution is a decent approach.

Added the option to not check HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR. Resolved in r16304. Merged to release-1.8 in r16305