#41097 closed defect (bug) (worksforme)
Incorrect parsing of Forwarded header generates warnings
Reported by: | tomdxw | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.8 |
Component: | Administration | Keywords: | has-patch reporter-feedback |
Focuses: | administration | Cc: |
Description
WordPress 4.8 adds a function WP_Community_Events::get_unsafe_client_ip()
which attempts to get the user's IP address from a set of headers (the code: https://github.com/WordPress/WordPress/blob/92175dbd33b51c47089f4c50853987e688b6291b/wp-admin/includes/class-wp-community-events.php#L238-L278 ).
It looks at the following headers:
// In order of preference, with the best ones for this purpose first. $address_headers = array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR', );
It treats them all as comma-delimited lists of IP addresses which is incorrect. This is because the Forwarded
header as defined in RFC 7239 ( https://tools.ietf.org/html/rfc7239 ) looks like this:
Examples: Forwarded: for="_gazonk" Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17
Steps to reproduce the problem:
- Install a browser extension that allows setting arbitrary headers (I'm using ModHeader: https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj )
- Use the browser extension to set a realistic
Forwarded
header such as:Forwarded: for=2001:db8::1, by=2001:db8::2
- Visit
/wp-admin/
The following warnings will appear in your logs:
PHP Warning: inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 268 PHP Warning: inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274 PHP Warning: A non-numeric value encountered in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274 PHP Warning: inet_ntop(): Invalid in_addr value in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
Attachments (1)
Change History (5)
#2
@
5 years ago
- Keywords reporter-feedback added
I could not reproduce this behaviour following the exact steps outlined by OP.
Note: See
TracTickets for help on using
tickets.
Remove HTTP_FORWARDED from list of headers to be parsed