Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
RequestFactory: Possible remoteAddr spoofing #87
Load balancers or proxies adds client IP to the end of X-Forwarded-For header.
So if site is behind trusted proxy, we set it by setProxy method and client sends spoofed X-Forwarded-For header then existing RequestFactory code interprets it as real client IP. Because proxy adds his real IP to the end but RequestFactory code gets the first IP from $_SERVER["HTTP_X_FORWARDED_FOR"] array.
Correct solution should be that we check $_SERVER["HTTP_X_FORWARDED_FOR"] array from the end compare to known trusted proxy array (set by setProxy) and use endmost IP that doesn't match any of know proxy IPs.
Fake IP Example: