MDL-67861 core: Use last ip in X-Forwarded-For list
authorBrendan Heywood <brendan@catalyst-au.net>
Tue, 4 Feb 2020 05:56:41 +0000 (16:56 +1100)
committerEloy Lafuente (stronk7) <stronk7@moodle.org>
Thu, 5 Mar 2020 00:28:04 +0000 (01:28 +0100)
lib/moodlelib.php

index 91852d0..d7fbbfb 100644 (file)
@@ -9215,7 +9215,10 @@ function getremoteaddr($default='0.0.0.0') {
     if (!($variablestoskip & GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR)) {
         if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
             $forwardedaddresses = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
-            $address = $forwardedaddresses[0];
+
+            // Multiple proxies can append values to this header including an
+            // untrusted original request header so we must only trust the last ip.
+            $address = end($forwardedaddresses);
 
             if (substr_count($address, ":") > 1) {
                 // Remove port and brackets from IPv6.