Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust the first non-trusted-proxy IP address from the right #51

Merged
merged 4 commits into from
Dec 19, 2024
Merged

Trust the first non-trusted-proxy IP address from the right #51

merged 4 commits into from
Dec 19, 2024

Conversation

akrabat
Copy link
Owner

@akrabat akrabat commented Dec 17, 2024
edited
Loading

When determining the client's IP address from a forwarded header, we need to take the rightmost IP address that is not a trusted proxy as this IP address is the added by the trusted proxy. Any other IP addresses to the left of that one could have been spoofed and so are untrustworthy.

Supersedes #50.

Closes #45

@akrabat
Add composer scripts for testing
ad7374b 
It's easier to type `composer check` to ensure that the changes will
pass CI.
@akrabat
Add tests to ensure that we select the right IP address
c865cfd 
We want the IP address that is immediately next after the known proxies.
@akrabat
Select the right most IP address
3595b64 
Any IP addresses to the left after the known proxies are irrelevant and
could have been spoofed. Therefore we need to select the first IP
address from the right that is not a trusted proxy.
@akrabat akrabat force-pushed the 45-trust-from-the-right branch from f88ca0f to 3595b64 Compare December 17, 2024 20:08
@akrabat
Copy link
Owner Author

akrabat commented Dec 17, 2024

@aiglesiasn, @cxlblm: I would appreciate a look-over of this proposed solution.

aiglesiasn
aiglesiasn approved these changes Dec 18, 2024
View reviewed changes
Copy link
Contributor

@aiglesiasn aiglesiasn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akrabat this is great.

cxlblm
cxlblm reviewed Dec 19, 2024
View reviewed changes
Copy link

@cxlblm cxlblm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any other issues.

src/IpAddress.php Outdated Show resolved Hide resolved
@akrabat
Remove trailing comma in method call
b6ba643 
This is not supported on PHP 7.2.
@akrabat akrabat merged commit 00a053e into main Dec 19, 2024
12 checks passed
@akrabat akrabat deleted the 45-trust-from-the-right branch December 19, 2024 20:26
@akrabat akrabat mentioned this pull request Dec 19, 2024
Closed
@akrabat akrabat added this to the 2.5.0 milestone Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cxlblm cxlblm cxlblm left review comments

@aiglesiasn aiglesiasn aiglesiasn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.5.0
Development

Successfully merging this pull request may close these issues.

The obtained IP address is spoofed by the user
3 participants
@akrabat @cxlblm @aiglesiasn