From 88152f01f7cbbb01798c5ee755281db21513b5ac Mon Sep 17 00:00:00 2001
From: Ryan Schmidt <skizzerz@users.mediawiki.org>
Date: Mon, 15 Aug 2011 05:25:56 +0000
Subject: [PATCH] * Revert r94487 and r19889 to an extent -- ONLY check for the
 X-Forwarded-For header when we are behind a proxy, as mostly every properly
 configured proxy software sets it, and attempting to support those that do
 not opens up the ability to spoof IP addresses by setting arbitrary headers.

---
 RELEASE-NOTES-1.19      |  4 ++--
 includes/ProxyTools.php | 11 +----------
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19
index 2bc2158283..6208e56c74 100644
--- a/RELEASE-NOTES-1.19
+++ b/RELEASE-NOTES-1.19
@@ -36,8 +36,6 @@ production.
 * Most presentational html attributes like valign are now converted to inline
   css style rules. These attributes were removed from html5 and so we clean them up
   when $wgHtml5 is enabled. This can be disabled using $wgCleanupPresentationalAttributes. 
-* When MediaWiki is being run behind a proxy, the X-Real-IP header is now also checked
-  to determine the client's actual IP address.
 
 === Bug fixes in 1.19 ===
 * $wgUploadNavigationUrl should be used for file redlinks if
@@ -80,6 +78,8 @@ changes to languages because of Bugzilla reports.
 * jquery.mwPrototypes module was renamed to jquery.mwExtension.
 * The maintenance script populateSha1.php was renamed to the more concise
   populateImageSha1.php
+* The Client-IP header is no longer checked for when trying to resolve a client's
+  real IP address.
 
 == Compatibility ==
 
diff --git a/includes/ProxyTools.php b/includes/ProxyTools.php
index 68b27c9174..e68729fb52 100644
--- a/includes/ProxyTools.php
+++ b/includes/ProxyTools.php
@@ -7,7 +7,6 @@
 
 /**
  * Extracts the XFF string from the request header
- * Checks first for "X-Forwarded-For", then "Client-ip", then "X-Real-IP"
  * Note: headers are spoofable
  * @return string
  */
@@ -20,23 +19,15 @@ function wfGetForwardedFor() {
 			$set[ strtoupper( $tempName ) ] = $tempValue;
 		}
 		$index = strtoupper ( 'X-Forwarded-For' );
-		$index2 = strtoupper ( 'Client-ip' );
-		$index3 = strtoupper ( 'X-Real-IP' );
 	} else {
 		// Subject to spoofing with headers like X_Forwarded_For
 		$set = $_SERVER;
 		$index = 'HTTP_X_FORWARDED_FOR';
-		$index2 = 'CLIENT-IP';
-		$index3 = 'HTTP_X_REAL_IP';
 	}
 
-	#Try a couple of headers
+	#Try to see if XFF is set
 	if( isset( $set[$index] ) ) {
 		return $set[$index];
-	} elseif( isset( $set[$index2] ) ) {
-		return $set[$index2];
-	} elseif( isset( $set[$index3] ) ) {
-		return $set[$index3];
 	} else {
 		return null;
 	}
-- 
2.20.1