Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#22636] - [com_actionlogs & reCaptcha] Doesn't use correct IP address when behind proxy

J3 Issue ?
avatar PhilETaylor
PhilETaylor
15 Oct 2018

Steps to reproduce the issue

install Joomla 3.9 RC1 behind a load balancer or reverse proxy (like many people do, like many web hosts do)

Joomla historically doesn't use IP address in many places, but one place this is very evident is in the new features for Joomla 3.9

Expected result

Action Log & reCaptcha use IP Address, expect to use the correct IP address of the USER (and not the proxy server, host, or any other IP address)

Actual result

Action Log & reCaptcha IP Address is read from $_SERVER['REMOTE_ADDR'] with code

$ip = JFactory::getApplication()->input->server->get('REMOTE_ADDR', null, 'raw');
// or 
$input->server->get('REMOTE_ADDR', '', 'string');

This will NOT give you the correct IP address for the user when behind proxies.

Additional comments

See the great work already distributed with Joomla in FOFUtilsIp that could be implemented.

ALSO see

Very bad use in storing votes too

$userIP = $_SERVER['REMOTE_ADDR'];
avatar PhilETaylor PhilETaylor - open - 15 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - change - 15 Oct 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 15 Oct 2018
avatar PhilETaylor PhilETaylor - change - 15 Oct 2018
The description was changed
avatar PhilETaylor PhilETaylor - edited - 15 Oct 2018
avatar PhilETaylor PhilETaylor - change - 15 Oct 2018
The description was changed
avatar PhilETaylor PhilETaylor - edited - 15 Oct 2018
avatar brianteeman brianteeman - change - 16 Oct 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 16 Oct 2018
avatar alikon
alikon - comment - 16 Oct 2018

can you test #22670 is for com_actionlogs only

avatar zero-24 zero-24 - change - 16 Oct 2018
Status New Closed
Closed_Date 0000-00-00 00:00:00 2018-10-16 18:36:59
Closed_By zero-24
avatar zero-24 zero-24 - close - 16 Oct 2018
avatar zero-24
zero-24 - comment - 16 Oct 2018

Closing as there is a PR.

avatar PhilETaylor
PhilETaylor - comment - 16 Oct 2018

The pr covers one of three areas covered by this issue so why would you close the issue?

——
Sent from my iPhone - sorry - if needed I’ll send longer email from my desk later.
——

On 16 Oct 2018, at 19:39, zero-24 notifications@github.com wrote:

Closing as there is a PR.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

avatar alikon
alikon - comment - 16 Oct 2018

you are 2 fast for me ?
see #22671 #22672 #22673

avatar zero-24
zero-24 - comment - 16 Oct 2018

The pr covers one of three areas covered by this issue so why would you close the issue?

I can read from the mind of @alikon and by that know that he was preparing the other PRs too :P

avatar PhilETaylor
PhilETaylor - comment - 16 Oct 2018

I’m in bed unwell actually- but hey.

——
Sent from my iPhone - sorry - if needed I’ll send longer email from my desk later.
——

On 16 Oct 2018, at 19:45, Nicola Galgano notifications@github.com wrote:

you are 2 fast for me ?
see #22671 #22672 #22673


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Add a Comment

Login with GitHub to post a comment