From df0619c7b6a1a764a04f801e8886d43b0b6bfad4 Mon Sep 17 00:00:00 2001
From: Brendan Heywood <brendan@catalyst-au.net>
Date: Tue, 4 Feb 2020 16:56:41 +1100
Subject: [PATCH] MDL-67861 core: Use last ip in X-Forwarded-For list

---
 lib/moodlelib.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 91852d0d2ee..d7fbbfb7f24 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -9215,7 +9215,10 @@ function getremoteaddr($default='0.0.0.0') {
     if (!($variablestoskip & GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR)) {
         if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
             $forwardedaddresses = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
-            $address = $forwardedaddresses[0];
+
+            // Multiple proxies can append values to this header including an
+            // untrusted original request header so we must only trust the last ip.
+            $address = end($forwardedaddresses);
 
             if (substr_count($address, ":") > 1) {
                 // Remove port and brackets from IPv6.
-- 
2.17.1