ZF-7117: getClientIp() might be sensitive to spoofing

Issue Type: Bug Created: 2009-06-24T14:16:48.000+0000 Last Updated: 2009-07-31T21:00:00.000+0000 Status: Resolved Fix version(s): - 1.9.0 (31/Jul/09)

Reporter: Jurrien Stutterheim (norm2782) Assignee: Jurrien Stutterheim (norm2782) Tags: - Zend_Controller

Related issues: Attachments:


See for more information. Was mentioned in ZF-7092 before.


Posted by Jurrien Stutterheim (norm2782) on 2009-06-25T15:55:23.000+0000

The concern was that the IP address might be faked by the client. The Cake issue suggests to add a flag for disabling the proxy check. With the proxy check disabled, only REMOTE_ADDR would be checked. Two issues arise with this solution:

  1. REMOTE_ADDR is sensitive to spoofing as well 2) How do you determine whether to disable the proxy check or not?

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-06-25T16:00:37.000+0000

This is not an issue at all (please close it as such). It should be something for the programmer to check. When for example you ban certain ip's just check for both the remote_addr and proxy ip, etc...

To quote a comment in the original cake issue: {quote}this is not a security exploit in Cake, but should certainly be something to be aware of when building an application.{quote}

Posted by Jurrien Stutterheim (norm2782) on 2009-06-25T16:17:05.000+0000

You misunderstand the issue, Dolf. Also, please leave the decision to close an issue to the issue owner's own discretion. Yes, programmers should check for things themselves and IP detection should never be used a a sole method of securing your application. However, the getClientIp() method should be able to give a programmer a convenient way to get the IP address and to determine if they want to check for proxies. Cake's solution is a decent approach.

Posted by Jurrien Stutterheim (norm2782) on 2009-06-25T20:35:33.000+0000

Added the option to not check HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR. Resolved in r16304. Merged to release-1.8 in r16305

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.