MDL-67861 core: Use last ip in X-Forwarded-For list

moodle · Mar 5, 2020 · 67c44eb · 67c44eb
1 parent eeaf8e0
commit 67c44eb
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -9037,7 +9037,10 @@ function getremoteaddr($default='0.0.0.0') {
     if (!($variablestoskip & GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR)) {
         if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
             $forwardedaddresses = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
-            $address = $forwardedaddresses[0];
+
+            // Multiple proxies can append values to this header including an
+            // untrusted original request header so we must only trust the last ip.
+            $address = end($forwardedaddresses);
 
             if (substr_count($address, ":") > 1) {
                 // Remove port and brackets from IPv6.