set secureHeaders property to prevent IP spoofing #15428
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
In the
craft\web\Request
class the$ipHeaders
property overwrites the default values set in the\yii\web\Request
class. However the$secureHeaders
property is not updated accordingly with the same headers.This oversight allows users to spoof their IP addresses. For instance, if someone sets a spoofed
Forwarded-For
header to a random IP address, the methodCraft::$app->getRequest()->getUserIP()
will return this spoofed IP address instead of the user's real IP. This happens because theForwarded-For
header is not in the$secureHeaders
property, making it vulnerable to manipulation.Tested with Craft version 4.8.7
Related issues