View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 258
IDProjectCategoryView StatusDate SubmittedLast Update
17903Bug reportsSecuritypublic2022-02-18 19:262022-02-28 12:58
Reportertassoman Assigned Togalads  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version5.x 
Summary17903: getIPAddress() helper wrongly parse multiple forward from proxies
Description

HTTP_X_FORWARDED_FOR header can be a string of comma separated IP addresses [1].
Helper getIPAddress() ignore them and assign REMOTE_HOST value.

This is wrong when you run Limesurvey behind a proxy, inside kubernetes environment (also inside docker, i guess)

Also 3.x-LTS branch is affected. I'm going to push two different pull requests on the Github

This issue affects ip address validation, blacklisting EVERYONE for maximum attemps
see: 17695 17322

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

Steps To Reproduce

Steps to reproduce

  1. install fresh limesurvey on localhost
  2. configure HTTPD conf adding: SetEnv HTTP_X_FORWARDED_FOR "192.193.194.195, 10.11.12.13, 192.168.1.2"
  3. create a survey with ip-address logging enabled
  4. activate survey then put a response

Expected result

response's logged ip-address is 192.193.194.195 instead of client's ip or localhost

Actual result

Actually limesurvey fails and returns REMOTE_HOST value

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)5.x 3.x-LTS
I will donate to the project if issue is resolvedNo
Browserall
Database type & versionmysql
Server OS (if known)linux
Webserver software & version (if known)apache 2.4
PHP Version7.4

Users monitoring this issue

There are no users monitoring this issue.

Activities

tassoman

tassoman

2022-02-18 19:29

reporter   ~68332

Pull request 5.x
https://github.com/LimeSurvey/LimeSurvey/pull/2254
tassoman

tassoman

2022-02-18 19:48

reporter   ~68333

Last edited: 2022-02-21 12:02

Pull request for 3.x-LTS branch
https://github.com/LimeSurvey/LimeSurvey/pull/2255
tassoman

tassoman

2022-02-21 10:11

reporter   ~68334

Last edited: 2022-02-21 12:02

Those pull requests needs approval because this is my first contribution.
My vscode has linted the code messup [1] and I've pushed >800 modifications. -_ -'
The real modification is getIPAddress() function.

[1] https://code.visualstudio.com/docs/languages/php
ollehar

ollehar

2022-02-21 10:29

administrator   ~68335

Last edited: 2022-02-21 12:02

Ehm, yes, that's not a good commit, to lint everything. :) It should be linted, PSR-12, but that should happen in a separate PR.
tassoman

tassoman

2022-02-21 13:17

reporter   ~68340

Indeed, I'm going to make a correction.
tassoman

tassoman

2022-02-21 15:38

reporter   ~68343

https://github.com/LimeSurvey/LimeSurvey/pull/2257
https://github.com/LimeSurvey/LimeSurvey/pull/2258
guest

guest

2022-02-22 21:55

viewer   ~68364

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33229
guest

guest

2022-02-22 21:58

viewer   ~68365

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33230
LimeBot

LimeBot

2022-02-28 12:58

administrator   ~68423

Fixed in Release 5.3.0+220228

Related Changesets

LimeSurvey: 3.x-LTS 3f03ba8d

2022-02-22 21:55:26

tassoman


Committer: GitHub Details Diff 		Fixed issue 17903: Incorrect IP address used when having multiple forward from proxies Affected Issues
17903
mod - application/helpers/common_helper.php Diff File

LimeSurvey: master 12fc718c

2022-02-22 21:58:12

tassoman


Committer: GitHub Details Diff 		Fixed issue 17903: Incorrect IP address used when having multiple forward from proxies Affected Issues
17903
mod - application/helpers/common_helper.php Diff File

Issue History

Date Modified Username Field Change
2022-02-18 19:26 tassoman New Issue
2022-02-18 19:29 tassoman Note Added: 68332
2022-02-18 19:29 tassoman Bug heat 250 => 252
2022-02-18 19:48 tassoman Note Added: 68333
2022-02-21 10:11 tassoman Note Added: 68334
2022-02-21 10:29 ollehar Note Added: 68335
2022-02-21 10:29 ollehar Bug heat 252 => 254
2022-02-21 12:01 galads Assigned To => galads
2022-02-21 12:01 galads Status new => acknowledged
2022-02-21 12:02 galads Zoho Project Synchronization => |Yes|
2022-02-21 13:17 tassoman Note Added: 68340
2022-02-21 15:38 tassoman Note Added: 68343
2022-02-22 21:55 tassoman Changeset attached => LimeSurvey 3.x-LTS 3f03ba8d
2022-02-22 21:55 guest Note Added: 68364
2022-02-22 21:55 guest Bug heat 254 => 256
2022-02-22 21:58 tassoman Changeset attached => LimeSurvey master 12fc718c
2022-02-22 21:58 guest Note Added: 68365
2022-02-22 22:00 c_schmitz Status acknowledged => resolved
2022-02-22 22:00 c_schmitz Resolution open => fixed
2022-02-28 12:58 LimeBot Zoho Project Synchronization Yes => |Yes|
2022-02-28 12:58 LimeBot Note Added: 68423
2022-02-28 12:58 LimeBot Status resolved => closed
2022-02-28 12:58 LimeBot Bug heat 256 => 258