Permalink
Browse files

Process X-Forwarded-For header in correct order

See http://en.wikipedia.org/wiki/X-Forwarded-For#Format. The IP addresses are appended to the right side so the server communicating with my managed proxy server is the last. This is the only value that can be trusted if I am behind managed proxy server, all others can be easily spoofed. The last value is also the equivalent of REMOTE_ADDR if I am not behind a reverse proxy.
  • Loading branch information...
vrana committed Nov 29, 2012
1 parent c00c516 commit 0742b4c00dd8dc37c6dc4e05498c56a4d45803b2
Showing with 1 addition and 1 deletion.
  1. +1 −1 library/Zend/Session/Validator/RemoteAddr.php
@@ -102,7 +102,7 @@ protected function getIpAddress()
// proxy IP address
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR']) {
$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
- return trim($ips[0]);
+ return trim(end($ips));
}
}

0 comments on commit 0742b4c

Please sign in to comment.