https://bugzilla.wikimedia.org/show_bug.cgi?id=26585
--- Comment #9 from Brion Vibber <br...@pobox.com> 2011-01-08 01:50:33 UTC --- It *shouldn't* be possible for REMOTE_ADDR to contain more than one IP, but it looks like it can happen if the server's using something like this apache module: http://stderr.net/apache/rpaf/ or this nginx module: http://wiki.nginx.org/HttpRealIpModule These will replace the value used to fill REMOTE_ADDR with the X-Forwarded-For value, and it's a good bet that they're not actually thinking to validate the value and format it correctly... (the apache module I found definitely doesn't). If there was another proxy in the chain, then the X-Forwarded-For header will have two or more IPs in it, and they can get copied right in. This isn't an ideal thing to do in your server config -- it's meant to fix 3rd-party apps looking only at REMOTE_ADDR, but is then just as likely to break them in the multi-IP case -- and it really should be fixed in that module or whatever similar system is triggering it. But, when we *do* find ourselves receiving such a bogus value, it's probably best to treat it like an XFF from a trusted proxy: use the most recent value in the stack, since it's the IP that the trusted proxy saw itself and can verify. Patch v2 looks like it should be fine. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
