[wp-trac] [WordPress Trac] #41097: Incorrect parsing of Forwarded header generates warnings

Mon Jun 19 13:35:04 UTC 2017

#41097: Incorrect parsing of Forwarded header generates warnings
----------------------------+-----------------------------
 Reporter:  tomdxw          |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Administration  |    Version:  4.8
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 WordPress 4.8 adds a function
 `WP_Community_Events::get_unsafe_client_ip()` which attempts to get the
 user's IP address from a set of headers (the code:
 https://github.com/WordPress/WordPress/blob/92175dbd33b51c47089f4c50853987e688b6291b
 /wp-admin/includes/class-wp-community-events.php#L238-L278 ).

 It looks at the following headers:

 {{{
                 // In order of preference, with the best ones for this
 purpose first.
                 $address_headers = array(
                         'HTTP_CLIENT_IP',
                         'HTTP_X_FORWARDED_FOR',
                         'HTTP_X_FORWARDED',
                         'HTTP_X_CLUSTER_CLIENT_IP',
                         'HTTP_FORWARDED_FOR',
                         'HTTP_FORWARDED',
                         'REMOTE_ADDR',
                 );
 }}}

 It treats them all as comma-delimited lists of IP addresses which is
 incorrect. This is because the `Forwarded` header as defined in RFC 7239 (
 https://tools.ietf.org/html/rfc7239 ) looks like this:

 {{{
    Examples:

        Forwarded: for="_gazonk"
        Forwarded: For="[2001:db8:cafe::17]:4711"
        Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
        Forwarded: for=192.0.2.43, for=198.51.100.17
 }}}

 Steps to reproduce the problem:

 1. Install a browser extension that allows setting arbitrary headers (I'm
 using ModHeader:
 https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj
 )
 2. Use the browser extension to set a realistic `Forwarded` header such
 as: `Forwarded: for=2001:db8::1, by=2001:db8::2`
 3. Visit `/wp-admin/`

 The following warnings will appear in your logs:

 {{{
 PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in
 /var/www/html/wp-admin/includes/class-wp-community-events.php on line 268
 PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in
 /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
 PHP Warning:  A non-numeric value encountered in /var/www/html/wp-
 admin/includes/class-wp-community-events.php on line 274
 PHP Warning:  inet_ntop(): Invalid in_addr value in /var/www/html/wp-
 admin/includes/class-wp-community-events.php on line 274
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41097>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform