Extension vulnerable to IP spoofing, should use framework to retrieve IP.

dynamic / silverstripe-maintenance-mode

Maintainance/Offline Mode Module for SilverStripe

BSD 2-Clause "Simplified" License

21 stars 18 forks source link

Extension vulnerable to IP spoofing, should use framework to retrieve IP. #15

Closed patricknelson closed 9 years ago

patricknelson commented 9 years ago

While possibly minor, the extension should use the existing method for retrieving IP address here: https://github.com/silverstripe/silverstripe-framework/blob/3/control/HTTPRequest.php#L657

This is because it goes through the necessary security checks to ensure that the relevant IP HTTP request headers are from a trusted proxy first before accepting them.

dljoseph commented 9 years ago

Good catch.... I'll submit a patch in a few moments.

patricknelson commented 9 years ago

I'm already on it

dljoseph commented 9 years ago

lol - ok cool... over to you :)

patricknelson commented 9 years ago

It's effectively a one line change (except for the lines being deleted) :+1:

It just stood out to me since I had to deal with this already with 2-3 different interstitial proxies between clients and my site (client -> Akamai -> Load Balancer -> 1 of several servers).

dljoseph commented 9 years ago

Top man! Merged. New release v1.0.1 created.