New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP_X_FORWARDED_FOR can be spoofed, proxies append to the list, so u… #11093

Merged
merged 1 commit into from Aug 25, 2017

Conversation

Projects
None yet
2 participants
@ceeram
Member

ceeram commented Aug 24, 2017

A proxy will append the client’s real IP address to the HTTP header, so use last ip instead of first ip, which could be manipulated by an attacker

@ceeram ceeram self-assigned this Aug 24, 2017

@markstory markstory added this to the 3.5.1 milestone Aug 24, 2017

@markstory markstory added the http label Aug 24, 2017

@markstory

Looks good to me.

@markstory markstory merged commit fcb8736 into master Aug 25, 2017

3 of 4 checks passed

continuous-integration/travis-ci/push The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
stickler-ci No lint errors found.

@markstory markstory deleted the client-ip-spoofing branch Aug 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment