On Tue, Nov 13, 2012 at 03:30:56PM -0800, Cameron Junge wrote: > While not a vulnerability, per se, it is something that all web developers > (PHP or otherwise) should be aware of. > > The summary is: The x-forwarded-for header should NEVER be trusted.
That's true. [ Long explanation why x-forwarded-for should not be trusted *at all*] > On Wednesday, November 14, 2012 3:35:13 AM UTC+13, Fabien Potencier wrote: > > > > It's not a vulnerability. You need to call the trsutProxy() method only > > when you have a trusted reverse proxy in front of your website (like > > Varnish for instance). Yes, but grepping for X_FORWARDED_FOR in the Symfony (standard) code gives me two hits that uses it. Symfony/Component/HttpFoundation/Request.php Which uses it to find clientIp if trustProxy is true. So, if it is to be avoided at any cost, it should be removed from there. The fact that trustProxy is a static as it is is secondary and the security implications can be discussed. One direct relation to the Stackoverflow-issue is in the other code part where it can be found; web/app_dev.php There it is being used to find the IP and check for localhost. You can argue that app_dev.php is no issue since the documentation tells that it should be removed when in production but we all know that many developers out there does not read that part nor think about the implications of having it available. And if you have the whole code tree in git and deploy tags it will just happen if your are not careful. And some would just as well look at it as a convenience to keep it. And then you have common development servers and staging. Many might not have come as far as read the documentation about deploying to prodction yet, and still use a copy of (old) production as test data. Thomas. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
