r94487 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r94486‎ | r94487 | r94488 >
Date:04:50, 15 August 2011
Author:skizzerz
Status:reverted (Comments)
Tags:
Comment:
When MediaWiki is being run behind a proxy, also check the X-Real-IP header to determine the client's actual IP address (some servers such as nginx might set this instead of X-Forwarded-For depending on configuration).
Modified paths:
  • /trunk/phase3/RELEASE-NOTES-1.19 (modified) (history)
  • /trunk/phase3/includes/ProxyTools.php (modified) (history)

Diff [purge]

Index: trunk/phase3/RELEASE-NOTES-1.19
@@ -36,6 +36,8 @@
3737 * Most presentational html attributes like valign are now converted to inline
3838 css style rules. These attributes were removed from html5 and so we clean them up
3939 when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes.
 40+* When MediaWiki is being run behind a proxy, the X-Real-IP header is now also checked
 41+ to determine the client's actual IP address.
4042
4143 === Bug fixes in 1.19 ===
4244 * $wgUploadNavigationUrl should be used for file redlinks if
Index: trunk/phase3/includes/ProxyTools.php
@@ -7,7 +7,7 @@
88
99 /**
1010 * Extracts the XFF string from the request header
11 - * Checks first for "X-Forwarded-For", then "Client-ip"
 11+ * Checks first for "X-Forwarded-For", then "Client-ip", then "X-Real-IP"
1212 * Note: headers are spoofable
1313 * @return string
1414 */
@@ -21,11 +21,13 @@
2222 }
2323 $index = strtoupper ( 'X-Forwarded-For' );
2424 $index2 = strtoupper ( 'Client-ip' );
 25+ $index3 = strtoupper ( 'X-Real-IP' );
2526 } else {
2627 // Subject to spoofing with headers like X_Forwarded_For
2728 $set = $_SERVER;
2829 $index = 'HTTP_X_FORWARDED_FOR';
2930 $index2 = 'CLIENT-IP';
 31+ $index3 = 'HTTP_X_REAL_IP';
3032 }
3133
3234 #Try a couple of headers
@@ -33,6 +35,8 @@
3436 return $set[$index];
3537 } elseif( isset( $set[$index2] ) ) {
3638 return $set[$index2];
 39+ } elseif( isset( $set[$index3] ) ) {
 40+ return $set[$index3];
3741 } else {
3842 return null;
3943 }

Follow-up revisions

RevisionCommit summaryAuthorDate
r94489* Revert r94487 and r19889 to an extent -- ONLY check for the X-Forwarded-For...skizzerz05:25, 15 August 2011

Comments

#Comment by Tim Starling (talk | contribs)   05:01, 15 August 2011

If nginx set the X-Real-IP header and passed the X-Forwarded-For header, then this would introduce a security vulnerability, since the spoofed X-Forwarded-For header would be used and trusted as if it came from the reverse proxy.

Can you either confirm that nginx strips the X-Forwarded-For header in the relevant configuration, or revert this change?

r19889 suffers from the same problem, but we don't know what server to test in that case.

#Comment by 😂 (talk | contribs)   05:07, 15 August 2011

FWIW: we had a guy come into #mediawiki on Friday who was suffering from this problem. His shared hosting puts all users behind a proxy (whether it's nginx or not, I do not know). REMOTE_ADDR had been nulled, and there was no X-Forwarded-For. On dumping his $_SERVER, we found that the proxy did set X-Real-IP and it was indeed his home IP address.

I didn't make the change to core because I wasn't sure what other ramifications there might be (spoofed X-Real-IP, perhaps?). Your concerns about a spoofed X-Forwarded-For are certainly valid, and I'm wondering if we should revert and just tell people "don't do that." Before Friday, I hadn't heard of someone having this issue before, so I can't imagine it's terribly widespread.

#Comment by Tim Starling (talk | contribs)   05:14, 15 August 2011

If it's a problem with a single hosting provider, then we can deal with it by having one of their customers open a ticket with them.

Status & tagging log