Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RequestFactory: Possible remoteAddr spoofing #87

Closed
HonzaCZ opened this issue Mar 9, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@HonzaCZ
Copy link
Contributor

commented Mar 9, 2016

Load balancers or proxies adds client IP to the end of X-Forwarded-For header.

So if site is behind trusted proxy, we set it by setProxy method and client sends spoofed X-Forwarded-For header then existing RequestFactory code interprets it as real client IP. Because proxy adds his real IP to the end but RequestFactory code gets the first IP from $_SERVER["HTTP_X_FORWARDED_FOR"] array.

Correct solution should be that we check $_SERVER["HTTP_X_FORWARDED_FOR"] array from the end compare to known trusted proxy array (set by setProxy) and use endmost IP that doesn't match any of know proxy IPs.

OK Example:
Site is behind 2 consecutive load balancers: 10.0.0.1 and 10.0.0.2. Clients real IP is 192.168.1.1.
From client there is no X-Forwarded-For header. First proxy set X-Forwarded-For to 192.168.1.1. Second proxy appends IP of first proxy - header will be X-Forwarded-For: 192.168.1.1, 10.0.0.1.
In this case, everything would be alright - we take first IP and it equals to real client IP, but...

Fake IP Example:
Situation as same as previous example but client sends spoofed X-Forwarded-For header. It sends e.g. 172.16.0.1 in that header.
First proxy appends his real IP, second proxy appends IP of first proxy. We have X-Forwarded-For: 172.16.0.1, 192.168.1.1, 10.0.0.1
So RequestFactory uses fake IP as reference.

HonzaCZ added a commit to HonzaCZ/http that referenced this issue Mar 9, 2016

RequestFactory: Fixed possible remoteAddr spoofing (issue nette#87)
- better searching for proxy IPs
- modified tests

milo added a commit that referenced this issue Mar 29, 2016

Merge pull request #88 from HonzaCZ/master
RequestFactory: Fixed possible remoteAddr spoofing (issue #87)
@milo

This comment has been minimized.

Copy link
Member

commented Mar 29, 2016

Merged cae5d68

@milo milo closed this Mar 29, 2016

dg added a commit that referenced this issue Mar 30, 2016

dg added a commit that referenced this issue Mar 30, 2016

dg added a commit that referenced this issue Mar 30, 2016

dg added a commit that referenced this issue Apr 1, 2016

dg added a commit that referenced this issue Apr 2, 2016

dg added a commit that referenced this issue Apr 2, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.