Andrew Garrett wrote: > We were checking $_SERVER['X_FORWARDED_FOR'], which reads the X- > Forwarded-For header. Unfortunately, it could be overridden by sending > an X_Forwarded_For header. > > We resolved it by using the apache-specific header retrieval functions > instead of PHP's broken internal implementation.
It's not PHP's fault. The HTTP_* environment variables are part of the CGI standard, which provides no way to distinguish between X-Forwarded-For and x_forwarded_for. http://hoohoo.ncsa.illinois.edu/cgi/env.html#headers So really it's NCSA's fault for inventing such a broken protocol, and Apache's fault for implementing it. There's not much PHP can do at that point, apart from implementing SAPI-specific workarounds, which is what they did. -- Tim Starling _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
