[wp-trac] Re: [WordPress Trac] #9235: Extract real IP behind a load
balancer
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 11 21:07:41 GMT 2009
#9235: Extract real IP behind a load balancer
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: Denis-de-Bernardy
Type: enhancement | Status: accepted
Priority: normal | Milestone: 2.9
Component: Optimization | Version: 2.7
Severity: normal | Keywords: has-patch tested commit early
-------------------------------+--------------------------------------------
Comment(by robertaccettura):
Replying to [comment:17 ryan]:
> Hmm, should we even try to set REMOTE_ADDR if WP_REMOTE_ADDR is not
defined? I don't think we can safely do anything aside from leaving
REMOTE_ADDR alone.
Agreed. Not to mention you shouldn't blindly trust HTTP_X_FORWARDED_FOR.
This can cause trouble:
http://marc.info/?l=bugtraq&m=108239864203144&w=2
I don't think anything but REMOTE_ADDR should be done on it's own. Leave
it up to the user to decide if they should be trusting an arbitrary
header.
That said, it might be best to do some sort of validation if a non-
remote_addr is used to ensure the response is sane. I think remote_addr
is considered safe because it's calculated by PHP. Other arbitrary
headers are not.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9235#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list