RequestFactory: Possible remoteAddr spoofing #87
Description
Load balancers or proxies adds client IP to the end of X-Forwarded-For header.
So if site is behind trusted proxy, we set it by setProxy method and client sends spoofed X-Forwarded-For header then existing RequestFactory code interprets it as real client IP. Because proxy adds his real IP to the end but RequestFactory code gets the first IP from $_SERVER["HTTP_X_FORWARDED_FOR"] array.
Correct solution should be that we check $_SERVER["HTTP_X_FORWARDED_FOR"] array from the end compare to known trusted proxy array (set by setProxy) and use endmost IP that doesn't match any of know proxy IPs.
OK Example:
Site is behind 2 consecutive load balancers: 10.0.0.1 and 10.0.0.2. Clients real IP is 192.168.1.1.
From client there is no X-Forwarded-For header. First proxy set X-Forwarded-For to 192.168.1.1. Second proxy appends IP of first proxy - header will be X-Forwarded-For: 192.168.1.1, 10.0.0.1.
In this case, everything would be alright - we take first IP and it equals to real client IP, but...
Fake IP Example:
Situation as same as previous example but client sends spoofed X-Forwarded-For header. It sends e.g. 172.16.0.1 in that header.
First proxy appends his real IP, second proxy appends IP of first proxy. We have X-Forwarded-For: 172.16.0.1, 192.168.1.1, 10.0.0.1
So RequestFactory uses fake IP as reference.