Zend\Http\PhpEnvironment\RemoteAddress class provides features around
detecting the internet protocol (IP) address for an incoming proxied request via
X-Forwarded-For header, taking into account a provided list of trusted
proxy server IPs. Prior to 2.2.5, the class was not taking into account whether
or not the IP address contained in PHP's
$_SERVER['REMOTE_ADDR'] was in the
trusted proxy server list.
The IETF draft specification
indicates that if
$_SERVER['REMOTE_ADDR'] is not a trusted proxy, it must be
considered the originating IP address, and the value of
We have made the following change to the
$_SERVER['REMOTE_ADDR']is not in the list of trusted proxy servers, we now return the value of
$_SERVER['REMOTE_ADDR']immediately, without introspecting the
You are only affected by this as an issue if you directly consume one of the following in your code:
If you do, we recommend immediately upgrading to version 2.2.5.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org