6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
9/7/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#6133] don't blindly trust x-forwarded-for
*
Your Email Address
*
Spam protection
Enter the letters below:
.__ .__ .__ .___.. . [__)[__)[__) | |_/ | \| [__) | | \
Comment
> I've removed the usage of X-forwarded-for when checking the safe_ips > list. The two other places we use it that aren't simply in log > messages are in Auth.php (last login info) and MIME_Headers (the > received: header). > > > > I'm guessing that the received header is the one you care about and > I'm inclined to agree; throwing out the proxy address there is > dubious because it's likely to be useful tracking information. What > do you think about including both (the REMOTE_ADDR value, and a > parenthetical that it was forwarded for the value of > HTTP_X_FORWARDED_FOR)?
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers