-
Type: Bug Report
-
Status: Closed
-
Priority: Minor
-
Resolution: Fixed
-
Affects Version/s: 5.1.3
-
Fix Version/s: 5.2.1-B1
-
Component/s: Front End
-
Labels:
-
External issue URL:
-
Additional information:
-
Change Log Message:Improving IP address detection
-
Story Points:1
-
External issue ID:1317
-
Copy Issue Key:
-
Patch Instructions:
Right now In-Portal always relies on $_SERVER['REMOTE_ADDR'] variable to determine client's IP address.
This works not in all cases. For example, when behind Amazon Web Services load balancer the actual IP address is located in $_SERVER['X_HTTP_FORWARDED_FOR'] variable.
Always relying on X_HTTP_FORWARDED_FOR and then on REMOTE_ADDR is bad idea because attacker could forge fake ip to pass ip-based check. To solve this I'm proposing to add new configuration setting, where user can select preferred IP address sources with possible options:
- $_SERVER['X_HTTP_FORWARDED_FOR']
- getenv('X_HTTP_FORWARDED_FOR')
- $_SERVER['REMOTE_ADDR']
- getenv('REMOTE_ADDR')
Based on server configuration some of these option might return empty string instead of IP address and it's up to use to choose what to use. By default we will use $_SERVER['REMOTE_ADDR'] for backward compatibility.