r94489 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r94488‎ \| r94489 \| r94490 >
Date:	05:25, 15 August 2011
Author:	skizzerz
Status:	ok
Tags:
Comment:	* Revert r94487 and r19889 to an extent -- ONLY check for the X-Forwarded-For header when we are behind a proxy, as mostly every properly configured proxy software sets it, and attempting to support those that do not opens up the ability to spoof IP addresses by setting arbitrary headers.
Modified paths:	/trunk/phase3/RELEASE-NOTES-1.19 (modified) (history) /trunk/phase3/includes/ProxyTools.php (modified) (history)

Diff [purge]

Index: trunk/phase3/RELEASE-NOTES-1.19
—	—	@@ -36,8 +36,6 @@
37	37	* Most presentational html attributes like valign are now converted to inline
38	38	css style rules. These attributes were removed from html5 and so we clean them up
39	39	when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes.
40		~~-* When MediaWiki is being run behind a proxy, the X-Real-IP header is now also checked~~
41		~~- to determine the client's actual IP address.~~
42	40
43	41	=== Bug fixes in 1.19 ===
44	42	* $wgUploadNavigationUrl should be used for file redlinks if
—	—	@@ -80,6 +78,8 @@
81	79	* jquery.mwPrototypes module was renamed to jquery.mwExtension.
82	80	* The maintenance script populateSha1.php was renamed to the more concise
83	81	populateImageSha1.php
	82	+* The Client-IP header is no longer checked for when trying to resolve a client's
	83	+ real IP address.
84	84
85	85	== Compatibility ==
86	86
Index: trunk/phase3/includes/ProxyTools.php
—	—	@@ -7,7 +7,6 @@
8	8
9	9	/**
10	10	* Extracts the XFF string from the request header
11		~~- * Checks first for "X-Forwarded-For", then "Client-ip", then "X-Real-IP"~~
12	11	* Note: headers are spoofable
13	12	* @return string
14	13	*/
—	—	@@ -20,23 +19,15 @@
21	20	$set[ strtoupper( $tempName ) ] = $tempValue;
22	21	}
23	22	$index = strtoupper ( 'X-Forwarded-For' );
24		~~- $index2 = strtoupper ( 'Client-ip' );~~
25		~~- $index3 = strtoupper ( 'X-Real-IP' );~~
26	23	} else {
27	24	// Subject to spoofing with headers like X_Forwarded_For
28	25	$set = $_SERVER;
29	26	$index = 'HTTP_X_FORWARDED_FOR';
30		~~- $index2 = 'CLIENT-IP';~~
31		~~- $index3 = 'HTTP_X_REAL_IP';~~
32	27	}
33	28
34		~~- #Try a couple of headers~~
	29	+ #Try to see if XFF is set
35	30	if( isset( $set[$index] ) ) {
36	31	return $set[$index];
37		~~- } elseif( isset( $set[$index2] ) ) {~~
38		~~- return $set[$index2];~~
39		~~- } elseif( isset( $set[$index3] ) ) {~~
40		~~- return $set[$index3];~~
41	32	} else {
42	33	return null;
43	34	}

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r19889	* Added useragent and an xff function and header	aaron	01:02, 12 February 2007
r94487	When MediaWiki is being run behind a proxy, also check the X-Real-IP header t...	skizzerz	04:50, 15 August 2011

Status & tagging log

14:18, 16 August 2011 😂 (talk | contribs) changed the status of r94489 [removed: new added: ok]