User "Tim Starling" changed the status of MediaWiki.r94487. Old Status: new New Status: fixme
User "Tim Starling" also posted a comment on MediaWiki.r94487. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/94487#c20794 Commit summary: When MediaWiki is being run behind a proxy, also check the X-Real-IP header to determine the client's actual IP address (some servers such as nginx might set this instead of X-Forwarded-For depending on configuration). Comment: If nginx set the X-Real-IP header and passed the X-Forwarded-For header, then this would introduce a security vulnerability, since the spoofed X-Forwarded-For header would be used and trusted as if it came from the reverse proxy. Can you either confirm that nginx strips the X-Forwarded-For header in the relevant configuration, or revert this change? r19889 suffers from the same problem, but we don't know what server to test in that case. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
