Make sure we don't allow IP overrides within the com_content vote feature

[zero-24]

Pull Request for an issue reported to the JSST by DangKhai from Viettel Cyber Security

Summary of Changes

Make sure we dont allow IP overrides by the X-Forwarded-For or Client-Ip HTTP headers for the com_content vote feature.

Testing Instructions

Setup voting for an article
make sure voting works
apply the patch
make sure voting still works

Actual result BEFORE applying this Pull Request

It was possible to override the ip using the X-Forwarded-For or Client-Ip HTTP headers

Expected result AFTER applying this Pull Request

that behavior is disabled now

Documentation Changes Required

None

[richard67]

I have tested this item ✅ successfully on 8b0103e

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32452.}

[sandewt]

For the test I changed the following code in ...\libraries\vendor\joomla\utilities\src\IpHelper.php

public static function setAllowIpOverrides($newState)
{
    // self::$allowIpOverrides = $newState ? true : false; // original code
    self::$allowIpOverrides = $newState ? false : false; // changed code
}

The test remains successful.
In other words, does the concerned method do what it is supposed to do?

// Make sure we don't allow IP overrides
IpHelper::setAllowIpOverrides(false);

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32452.}

[brianteeman]

and that will include joomla.org

[zero-24]

Understood. I'm happy to hear proposals to fix this issue. We might have to do some kind of configuration where we get the info from that we run behind that proxy setup?

[sandewt]

Understood. I'm happy to hear proposals to fix this issue.

Maybe you can do something with this, see:

joomla-cms/administrator/components/com_actionlogs/models/actionlog.php

Line 51 in 4a6f30e

if (!filter_var($ip, FILTER_VALIDATE_IP))

[zero-24]

Its about bypassing the ip restrictions on voting by bypassing it using the mentiond headers.

[zero-24]

see: #32866