Issues

ZF-12153: Zend_Controller_Request_Http::getClientIp(), dangerous default

Issue Type: Bug Created: 2012-04-14T23:14:27.000+0000 Last Updated: 2012-04-15T12:31:06.000+0000 Status: Open Fix version(s): Reporter: Alexander Makarov (samdark) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Controller

Related issues: Attachments:

Description

By default Zend_Controller_Request_Http::getClientIp() checks for X-Forwarded-For that leads to easy IP spoofing. This is a very dangerous default since method can be used for IP-based authorization:

<pre class="highlight">
if(in_array(getClientIp(), $allowedAddresses))
{
  echo 'I am admin! Yay!';
}

If you're not sure if it's good to break backwards compatibility in order to prevent it and if it's better just to mention it somewhere in the documentation, check these:

https://github.com/blog/… https://github.com/blog/…

Comments

Posted by Daniel Petrovic (stpiere) on 2012-04-15T12:31:06.000+0000

My opinion is, that it would be enough to mention in the doc's that default call to getClientIp() should be used only in secured manner, for ex. logging purposes, etc... and any usage for getting authoritativ privileges should be used with caution and eventually setting $checkProxy = false

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts