Make WordPress Core

Opened 7 years ago

Closed 5 years ago

Last modified 5 years ago

#41097 closed defect (bug) (worksforme)

Incorrect parsing of Forwarded header generates warnings

Reported by: tomdxw's profile tomdxw Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.8
Component: Administration Keywords: has-patch reporter-feedback
Focuses: administration Cc:

Description

WordPress 4.8 adds a function WP_Community_Events::get_unsafe_client_ip() which attempts to get the user's IP address from a set of headers (the code: https://github.com/WordPress/WordPress/blob/92175dbd33b51c47089f4c50853987e688b6291b/wp-admin/includes/class-wp-community-events.php#L238-L278 ).

It looks at the following headers:

		// In order of preference, with the best ones for this purpose first.
		$address_headers = array(
			'HTTP_CLIENT_IP',
			'HTTP_X_FORWARDED_FOR',
			'HTTP_X_FORWARDED',
			'HTTP_X_CLUSTER_CLIENT_IP',
			'HTTP_FORWARDED_FOR',
			'HTTP_FORWARDED',
			'REMOTE_ADDR',
		);

It treats them all as comma-delimited lists of IP addresses which is incorrect. This is because the Forwarded header as defined in RFC 7239 ( https://tools.ietf.org/html/rfc7239 ) looks like this:

   Examples:

       Forwarded: for="_gazonk"
       Forwarded: For="[2001:db8:cafe::17]:4711"
       Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
       Forwarded: for=192.0.2.43, for=198.51.100.17

Steps to reproduce the problem:

  1. Install a browser extension that allows setting arbitrary headers (I'm using ModHeader: https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj )
  2. Use the browser extension to set a realistic Forwarded header such as: Forwarded: for=2001:db8::1, by=2001:db8::2
  3. Visit /wp-admin/

The following warnings will appear in your logs:

PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 268
PHP Warning:  inet_pton(): Unrecognized address for=2001:db8::1 in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
PHP Warning:  A non-numeric value encountered in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274
PHP Warning:  inet_ntop(): Invalid in_addr value in /var/www/html/wp-admin/includes/class-wp-community-events.php on line 274

Attachments (1)

ignore-forwarded-header.patch (428 bytes) - added by tomdxw 7 years ago.
Remove HTTP_FORWARDED from list of headers to be parsed

Download all attachments as: .zip

Change History (5)

@tomdxw
7 years ago

Remove HTTP_FORWARDED from list of headers to be parsed

#1 @tomdxw
7 years ago

  • Keywords has-patch added

#2 @andraganescu
5 years ago

  • Keywords reporter-feedback added

I could not reproduce this behaviour following the exact steps outlined by OP.

#3 @mallorydxw
5 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

I can't reproduce in WP 5.1.1 either. Looks like the WP_Community_Events::get_unsafe_client_ip() function has gone through some significant changes in recent releases.

#4 @desrosj
5 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.