Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Request::getIp() #1559

Merged
merged 1 commit into from
Nov 2, 2015
Merged

Remove Request::getIp() #1559

merged 1 commit into from
Nov 2, 2015

Conversation

akrabat
Copy link
Member

@akrabat akrabat commented Oct 29, 2015

This method was using the 'X-Forwarded-For' header which is unsafe as it's client settable. A better solution is to use middleware that sets an "ip" attribute onto the Request object.

Resolves #1528

@akrabat
Remove Request::getIp()
e882c05 
This method was using the 'X-Forwarded-For' header which is unsafe as
it's client settable. A better solution is to use middleware that sets
an "ip" attribute onto the Request object.
@silentworks
Copy link
Member

I am going to leave this on hold for the minute. We need to check the impact this is going to have and find a viable solution to suggest to people first.

@akrabat
Copy link
Member Author

akrabat commented Oct 31, 2015

This is a stab at doing it in middleware: https://github.com/akrabat/rka-ip-address-middleware

@piotr-cz
Copy link
Contributor

Good catch.

@piotr-cz
Copy link
Contributor

For the exact same reason the check for secure connection shouldn't be based on the HTTP_X_FORWARDED_PROTO header inside the Uri class (more details are here).

Anyway base path resolution is wrong determining when using server rewrites (the L flag in .htaccess file).
There should be an option to define base path (and possibly secure connection) as an application setting which can be read from an environment variable.

@akrabat
Copy link
Member Author

akrabat commented Nov 1, 2015

Anyway base path resolution is wrong determining when using server rewrites (the L flag in .htaccess file).
There should be an option to define base path (and possibly secure connection) as an application setting which can be read from an environment variable.

Please open as a separate issue with the apache rewrite settings the show the problem.

@akrabat
Copy link
Member Author

akrabat commented Nov 1, 2015

See #1567 for the Uri() usage of HTTP_X_FORWARDED_PROTO.

@silentworks silentworks added this to the 3.0.0 RC2 milestone Nov 2, 2015
silentworks added a commit that referenced this pull request Nov 2, 2015
@silentworks
Merge pull request #1559 from akrabat/remove-getIp
74daa06 
Remove Request::getIp()
@silentworks silentworks merged commit 74daa06 into slimphp:3.x Nov 2, 2015
@akrabat akrabat mentioned this pull request Nov 3, 2015
Closed
@AndrewCarterUK AndrewCarterUK mentioned this pull request Nov 3, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Slim 3
Projects
None yet
Milestone
3.0.0 RC2
Development

Successfully merging this pull request may close these issues.
3 participants
@akrabat @silentworks @piotr-cz