From 6b202638936967c66813e36c0b9443824834a4aa Mon Sep 17 00:00:00 2001 From: Ryan Schmidt Date: Mon, 15 Aug 2011 04:50:51 +0000 Subject: [PATCH] When MediaWiki is being run behind a proxy, also check the X-Real-IP header to determine the client's actual IP address (some servers such as nginx might set this instead of X-Forwarded-For depending on configuration). --- RELEASE-NOTES-1.19 | 2 ++ includes/ProxyTools.php | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19 index 96b7fa2bb9..2bc2158283 100644 --- a/RELEASE-NOTES-1.19 +++ b/RELEASE-NOTES-1.19 @@ -36,6 +36,8 @@ production. * Most presentational html attributes like valign are now converted to inline css style rules. These attributes were removed from html5 and so we clean them up when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes. +* When MediaWiki is being run behind a proxy, the X-Real-IP header is now also checked + to determine the client's actual IP address. === Bug fixes in 1.19 === * $wgUploadNavigationUrl should be used for file redlinks if diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index ca485c27e7..68b27c9174 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -7,7 +7,7 @@ /** * Extracts the XFF string from the request header - * Checks first for "X-Forwarded-For", then "Client-ip" + * Checks first for "X-Forwarded-For", then "Client-ip", then "X-Real-IP" * Note: headers are spoofable * @return string */ @@ -21,11 +21,13 @@ function wfGetForwardedFor() { } $index = strtoupper ( 'X-Forwarded-For' ); $index2 = strtoupper ( 'Client-ip' ); + $index3 = strtoupper ( 'X-Real-IP' ); } else { // Subject to spoofing with headers like X_Forwarded_For $set = $_SERVER; $index = 'HTTP_X_FORWARDED_FOR'; $index2 = 'CLIENT-IP'; + $index3 = 'HTTP_X_REAL_IP'; } #Try a couple of headers @@ -33,6 +35,8 @@ function wfGetForwardedFor() { return $set[$index]; } elseif( isset( $set[$index2] ) ) { return $set[$index2]; + } elseif( isset( $set[$index3] ) ) { + return $set[$index3]; } else { return null; } -- 2.20.1