From df0619c7b6a1a764a04f801e8886d43b0b6bfad4 Mon Sep 17 00:00:00 2001 From: Brendan Heywood Date: Tue, 4 Feb 2020 16:56:41 +1100 Subject: [PATCH] MDL-67861 core: Use last ip in X-Forwarded-For list --- lib/moodlelib.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 91852d0d2ee..d7fbbfb7f24 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -9215,7 +9215,10 @@ function getremoteaddr($default='0.0.0.0') { if (!($variablestoskip & GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR)) { if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $forwardedaddresses = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']); - $address = $forwardedaddresses[0]; + + // Multiple proxies can append values to this header including an + // untrusted original request header so we must only trust the last ip. + $address = end($forwardedaddresses); if (substr_count($address, ":") > 1) { // Remove port and brackets from IPv6. -- 2.43.0