Only check X-Forwarded-For if we're in squid mode. It's easy to forge an IP address...

diff --git a/includes/Setup.php b/includes/Setup.php
index 4a210d3..2149dce 100644 (file)
--- a/includes/Setup.php
+++ b/includes/Setup.php
@@ -20,11 +20,12 @@ if ( $wgProfiling and (0 == rand() % $wgProfileSampleRate ) ) {
 
 
 /* collect the originating ips */
-if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
-  $wgIP = trim(preg_replace("/^(.*, )?([^,]+)$/", "$2",
-                        $_SERVER['HTTP_X_FORWARDED_FOR']));
-} else {
-  $wgIP = getenv("REMOTE_ADDR");
+$wgIP = getenv("REMOTE_ADDR");
+if( $wgUseSquid && isset( $_SERVER["HTTP_X_FORWARDED_FOR"] ) ) {
+       # If the web server is behind a reverse proxy, we need to find
+       # out where our requests are really coming from.
+       $wgIP = trim( preg_replace( "/^(.*, )?([^,]+)$/", "$2",
+               $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
 }
 
 $fname = "Setup.php";