Improve documentation of X-Forwarded-For header handling

Samuel Vogel · fabpot · commit 0d232ba2f2cf · 2013-10-16T17:16:00.000+02:00
diff --git a/src/Symfony/Component/HttpFoundation/IpUtils.php b/src/Symfony/Component/HttpFoundation/IpUtils.php
@@ -24,10 +24,10 @@ class IpUtils
     private function __construct() {}
 
     /**
-     * Validates an IPv4 or IPv6 address.
+     * Checks if an IPv4 or IPv6 address is contained in the list of given IPs or subnets
      *
-     * @param string       $requestIp
-     * @param string|array $ips
+     * @param string       $requestIp   IP to check
+     * @param string|array $ips         List of IPs or subnets (can be a string if only a single one)
      *
      * @return boolean Whether the IP is valid
      */
@@ -49,10 +49,11 @@ public static function checkIp($requestIp, $ips)
     }
 
     /**
-     * Validates an IPv4 address.
+     * Compares two IPv4 addresses.
+     * In case a subnet is given, it checks if it contains the request IP.
      *
-     * @param string $requestIp
-     * @param string $ip
+     * @param string $requestIp IPv4 address to check
+     * @param string $ip        IPv4 address or subnet in CIDR notation
      *
      * @return boolean Whether the IP is valid
      */
@@ -73,13 +74,14 @@ public static function checkIp4($requestIp, $ip)
     }
 
     /**
-     * Validates an IPv6 address.
+     * Compares two IPv6 addresses.
+     * In case a subnet is given, it checks if it contains the request IP.
      *
      * @author David Soria Parra <dsp at php dot net>
      * @see https://github.com/dsp/v6tools
      *
-     * @param string $requestIp
-     * @param string $ip
+     * @param string $requestIp IPv6 address to check
+     * @param string $ip        IPv6 address or subnet in CIDR notation
      *
      * @return boolean Whether the IP is valid
      *
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -732,9 +732,9 @@ public function setSession(SessionInterface $session)
     /**
      * Returns the client IP addresses.
      *
-     * The least trusted IP address is first, and the most trusted one last.
-     * The "real" client IP address is the first one, but this is also the
-     * least trusted one.
+     * In the returned array the most trusted IP address is first, and the
+     * least trusted one last. The "real" client IP address is the last one,
+     * but this is also the least trusted one. Trusted proxies are stripped.
      *
      * Use this method carefully; you should use getClientIp() instead.
      *
@@ -755,17 +755,19 @@ public function getClientIps()
         }
 
         $clientIps = array_map('trim', explode(',', $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_IP])));
-        $clientIps[] = $ip;
+        $clientIps[] = $ip; // Complete the IP chain with the IP the request actually came from
 
         $trustedProxies = !self::$trustedProxies ? array($ip) : self::$trustedProxies;
-        $ip = $clientIps[0];
+        $ip = $clientIps[0]; // Fallback to this when the client IP falls into the range of trusted proxies
 
+        // Eliminate all IPs from the forwarded IP chain which are trusted proxies
         foreach ($clientIps as $key => $clientIp) {
             if (IpUtils::checkIp($clientIp, $trustedProxies)) {
                 unset($clientIps[$key]);
             }
         }
 
+        // Now the IP chain contains only untrusted proxies and the client IP
         return $clientIps ? array_reverse($clientIps) : array($ip);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,10 @@ class IpUtils`
`24`	`24`	`private function __construct() {}`
`25`	`25`
`26`	`26`	`/**`
`27`		`- * Validates an IPv4 or IPv6 address.`
	`27`	`+ * Checks if an IPv4 or IPv6 address is contained in the list of given IPs or subnets`
`28`	`28`	`*`
`29`		`- * @param string $requestIp`
`30`		`- * @param string\|array $ips`
	`29`	`+ * @param string $requestIp IP to check`
	`30`	`+ * @param string\|array $ips List of IPs or subnets (can be a string if only a single one)`
`31`	`31`	`*`
`32`	`32`	`* @return boolean Whether the IP is valid`
`33`	`33`	`*/`
`@@ -49,10 +49,11 @@ public static function checkIp($requestIp, $ips)`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`/**`
`52`		`- * Validates an IPv4 address.`
	`52`	`+ * Compares two IPv4 addresses.`
	`53`	`+ * In case a subnet is given, it checks if it contains the request IP.`
`53`	`54`	`*`
`54`		`- * @param string $requestIp`
`55`		`- * @param string $ip`
	`55`	`+ * @param string $requestIp IPv4 address to check`
	`56`	`+ * @param string $ip IPv4 address or subnet in CIDR notation`
`56`	`57`	`*`
`57`	`58`	`* @return boolean Whether the IP is valid`
`58`	`59`	`*/`
`@@ -73,13 +74,14 @@ public static function checkIp4($requestIp, $ip)`
`73`	`74`	`}`
`74`	`75`
`75`	`76`	`/**`
`76`		`- * Validates an IPv6 address.`
	`77`	`+ * Compares two IPv6 addresses.`
	`78`	`+ * In case a subnet is given, it checks if it contains the request IP.`
`77`	`79`	`*`
`78`	`80`	`* @author David Soria Parra <dsp at php dot net>`
`79`	`81`	`* @see https://github.com/dsp/v6tools`
`80`	`82`	`*`
`81`		`- * @param string $requestIp`
`82`		`- * @param string $ip`
	`83`	`+ * @param string $requestIp IPv6 address to check`
	`84`	`+ * @param string $ip IPv6 address or subnet in CIDR notation`
`83`	`85`	`*`
`84`	`86`	`* @return boolean Whether the IP is valid`
`85`	`87`	`*`
Original file line number	Diff line number	Diff line change
`@@ -732,9 +732,9 @@ public function setSession(SessionInterface $session)`
`732`	`732`	`/**`
`733`	`733`	`* Returns the client IP addresses.`
`734`	`734`	`*`
`735`		`- * The least trusted IP address is first, and the most trusted one last.`
`736`		`- * The "real" client IP address is the first one, but this is also the`
`737`		`- * least trusted one.`
	`735`	`+ * In the returned array the most trusted IP address is first, and the`
	`736`	`+ * least trusted one last. The "real" client IP address is the last one,`
	`737`	`+ * but this is also the least trusted one. Trusted proxies are stripped.`
`738`	`738`	`*`
`739`	`739`	`* Use this method carefully; you should use getClientIp() instead.`
`740`	`740`	`*`
`@@ -755,17 +755,19 @@ public function getClientIps()`
`755`	`755`	`}`
`756`	`756`
`757`	`757`	`$clientIps = array_map('trim', explode(',', $this->headers->get(self::$trustedHeaders[self::HEADER_CLIENT_IP])));`
`758`		`- $clientIps[] = $ip;`
	`758`	`+ $clientIps[] = $ip; // Complete the IP chain with the IP the request actually came from`
`759`	`759`
`760`	`760`	`$trustedProxies = !self::$trustedProxies ? array($ip) : self::$trustedProxies;`
`761`		`- $ip = $clientIps[0];`
	`761`	`+ $ip = $clientIps[0]; // Fallback to this when the client IP falls into the range of trusted proxies`
`762`	`762`
	`763`	`+ // Eliminate all IPs from the forwarded IP chain which are trusted proxies`
`763`	`764`	`foreach ($clientIps as $key => $clientIp) {`
`764`	`765`	`if (IpUtils::checkIp($clientIp, $trustedProxies)) {`
`765`	`766`	`unset($clientIps[$key]);`
`766`	`767`	`}`
`767`	`768`	`}`
`768`	`769`
	`770`	`+ // Now the IP chain contains only untrusted proxies and the client IP`
`769`	`771`	`return $clientIps ? array_reverse($clientIps) : array($ip);`
`770`	`772`	`}`
`771`	`773`