In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Dependency Graph

[ View Issue ] [ Relation Graph ] [ Vertical ]

Viewing Issue Simple Details
ID	Category	Type	Reproducibility	Date Submitted	Last Update
0001317	[In-Portal CMS] Front End	bug report	always	2012-06-11 08:15	2012-10-10 23:58

Reporter	alex	View Status	public
Assigned To	alex
Priority	normal	Resolution	fixed
Status	resolved

Summary	0001317: Allow to specify what IP address source to use
Description	Right now In-Portal always relies on $_SERVER['REMOTE_ADDR'] variable to determine client's IP address. This works not in all cases. For example, when behind Amazon Web Services load balancer the actual IP address is located in $_SERVER['X_HTTP_FORWARDED_FOR'] variable. Always relying on X_HTTP_FORWARDED_FOR and then on REMOTE_ADDR is bad idea because attacker could forge fake ip to pass ip-based check. To solve this I'm proposing to add new configuration setting, where user can select preferred IP address sources with possible options: * $_SERVER['X_HTTP_FORWARDED_FOR'] * getenv('X_HTTP_FORWARDED_FOR') * $_SERVER['REMOTE_ADDR'] * getenv('REMOTE_ADDR') Based on server configuration some of these option might return empty string instead of IP address and it's up to use to choose what to use. By default we will use $_SERVER['REMOTE_ADDR'] for backward compatibility.
Additional Information	At the end method $this->Application->getIP() would return correct value based on configuration setting. Since IP address check can be performed before application initialization this new setting must be added to /system/config.php file instead of SystemSettings database table. Of course install/upgrade wizard steps needs to be updated to reflect that.

Web Development by Intechnic

In-Portal Open Source CMS