From: Ryan Schmidt Date: Mon, 15 Aug 2011 05:25:56 +0000 (+0000) Subject: * Revert r94487 and r19889 to an extent -- ONLY check for the X-Forwarded-For header... X-Git-Tag: 1.31.0-rc.0~28264 X-Git-Url: http://git.cyclocoop.org/%24self?a=commitdiff_plain;h=88152f01f7cbbb01798c5ee755281db21513b5ac;p=lhc%2Fweb%2Fwiklou.git * Revert r94487 and r19889 to an extent -- ONLY check for the X-Forwarded-For header when we are behind a proxy, as mostly every properly configured proxy software sets it, and attempting to support those that do not opens up the ability to spoof IP addresses by setting arbitrary headers. --- diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19 index 2bc2158283..6208e56c74 100644 --- a/RELEASE-NOTES-1.19 +++ b/RELEASE-NOTES-1.19 @@ -36,8 +36,6 @@ production. * Most presentational html attributes like valign are now converted to inline css style rules. These attributes were removed from html5 and so we clean them up when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes. -* When MediaWiki is being run behind a proxy, the X-Real-IP header is now also checked - to determine the client's actual IP address. === Bug fixes in 1.19 === * $wgUploadNavigationUrl should be used for file redlinks if @@ -80,6 +78,8 @@ changes to languages because of Bugzilla reports. * jquery.mwPrototypes module was renamed to jquery.mwExtension. * The maintenance script populateSha1.php was renamed to the more concise populateImageSha1.php +* The Client-IP header is no longer checked for when trying to resolve a client's + real IP address. == Compatibility == diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php index 68b27c9174..e68729fb52 100644 --- a/includes/ProxyTools.php +++ b/includes/ProxyTools.php @@ -7,7 +7,6 @@ /** * Extracts the XFF string from the request header - * Checks first for "X-Forwarded-For", then "Client-ip", then "X-Real-IP" * Note: headers are spoofable * @return string */ @@ -20,23 +19,15 @@ function wfGetForwardedFor() { $set[ strtoupper( $tempName ) ] = $tempValue; } $index = strtoupper ( 'X-Forwarded-For' ); - $index2 = strtoupper ( 'Client-ip' ); - $index3 = strtoupper ( 'X-Real-IP' ); } else { // Subject to spoofing with headers like X_Forwarded_For $set = $_SERVER; $index = 'HTTP_X_FORWARDED_FOR'; - $index2 = 'CLIENT-IP'; - $index3 = 'HTTP_X_REAL_IP'; } - #Try a couple of headers + #Try to see if XFF is set if( isset( $set[$index] ) ) { return $set[$index]; - } elseif( isset( $set[$index2] ) ) { - return $set[$index2]; - } elseif( isset( $set[$index3] ) ) { - return $set[$index3]; } else { return null; }