WordPress.org

Make WordPress Core

Opened 6 months ago

Last modified 6 months ago

#41097 new defect (bug)

Incorrect parsing of Forwarded header generates warnings

Reported by: tomdxw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.8
Component: Administration Keywords: has-patch
Focuses: administration Cc:

Description

WordPress 4.8 adds a function WP_Community_Events::get_unsafe_client_ip() which attempts to get the user's IP address from a set of headers (the code: https://github.com/WordPress/WordPress/blob/92175dbd33b51c47089f4c50853987e688b6291b/wp-admin/includes/class-wp-community-events.php#L238-L278 ).

It looks at the following headers:

		// In order of preference, with the best ones for this purpose first.
		$address_headers = array(
			'HTTP_CLIENT_IP',
			'HTTP_X_FORWARDED_FOR',
			'HTTP_X_FORWARDED',
			'HTTP_X_CLUSTER_CLIENT_IP',
			'HTTP_FORWARDED_FOR',
			'HTTP_FORWARDED',
			'REMOTE_ADDR',
		);

It treats them all as comma-delimited lists of IP addresses which is incorrect. This is because the Forwarded header as defined in RFC 7239 ( https://tools.ietf.org/html/rfc7239 ) looks like this:

   Examples:

       Forwarded: for="_gazonk"
       Forwarded: For="[2001:db8:cafe::17]:4711"
       Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
       Forwarded: for=192.0.2.43, for=198.51.100.17

Steps to reproduce the problem:

  1. Install a browser extension that allows setting arbitrary headers (I'm using ModHeader: https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj )
  2. Use the browser extension to set a realistic Forwarded header such as: Forwarded: for=2001:db8::1, by=2001:db8::2
  3. Visit /wp-admin/

The following warnings will appear in your logs:

PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 268
PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
PHP Warning:  A non-numeric value encountered in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
PHP Warning:  inet_ntop(): Invalid in_addr value in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274

Attachments (1)

ignore-forwarded-header.patch (428 bytes) - added by tomdxw 6 months ago.
Remove HTTP_FORWARDED from list of headers to be parsed

Download all attachments as: .zip

Change History (2)

@tomdxw
6 months ago

Remove HTTP_FORWARDED from list of headers to be parsed

#1 @tomdxw
6 months ago

  • Keywords has-patch added
Note: See TracTickets for help on using tickets.