User "^demon" posted a comment on MediaWiki.r94487. Full URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/94487#c20795 Commit summary:
When MediaWiki is being run behind a proxy, also check the X-Real-IP header to determine the client's actual IP address (some servers such as nginx might set this instead of X-Forwarded-For depending on configuration). Comment: FWIW: we had a guy come into #mediawiki on Friday who was suffering from this problem. His shared hosting puts all users behind a proxy (whether it's nginx or not, I do not know). REMOTE_ADDR had been nulled, and there was no X-Forwarded-For. On dumping his $_SERVER, we found that the proxy ''did'' set X-Real-IP and it was indeed his home IP address. I didn't make the change to core because I wasn't sure what other ramifications there might be (spoofed X-Real-IP, perhaps?). Your concerns about a spoofed X-Forwarded-For are certainly valid, and I'm wondering if we should revert and just tell people "don't do that." Before Friday, I hadn't heard of someone having this issue before, so I can't imagine it's terribly widespread. _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
