"ClientIP" handling is unsafe

[Geometry6151]

hertz/pkg/app/context.go

Lines 980 to 994 in 3ac19d5

	var defaultClientIP = func(ctx *RequestContext) string {
	RemoteIPHeaders := []string{"X-Real-IP", "X-Forwarded-For"}
	for _, headerName := range RemoteIPHeaders {
	ip := ctx.Request.Header.Get(headerName)
	if ip != "" {
	return ip
	}
	}
	if ip, _, err := net.SplitHostPort(strings.TrimSpace(ctx.RemoteAddr().String())); err == nil {
	return ip
	}
	return ""
	}

This code has a security risk, when using the ClientIP function it is easy to be spoofed by "X-Real-IP" and "X-Forwarded-For" to bypass the checks。

This problem also occurs with the Gin framework -> gin-gonic/gin#2473
The fix can be found in their issue。

[welkeyever]

Thanks for reporting! Are you interested in submitting a pr to fix it?
It's OK if it is not so, I'll put it into TODOs.

[BaiZe1998]

i want to try it, please assign me.