vectorface / whip Goto Github PK

Hi ,
Instead of

Whip::IPV4

make it

\Vectorface\Whip\IpRange\IpWhitelist::IPV4

same changes for IPV6

Since the last update, the extractAddressFromHeaders method is always returning false. I'm working on a fix an will open a PR soon.

Is user is using anonymous proxy, where IP have multiple IP addresses

$_SERVER["HTTP_X_FORWARDED_FOR"] = '1.2.3.4, 2.3.4.5'

it is possible to return those IPs and not only one?

In the implementation, option CLOUDFLARE_HEADERS checks HTTP_CF_CONNECTING_IP which can be injected into HTTP request by attacker.

Reference:

• whip/src/Whip.php

  Line 72 in daa06ba

  'cf-connecting-ip'

It's worth mentioning in the documentation.

The proper way to do it is to check CF IP list with all masks. IPs are avaliable on website:
https://www.cloudflare.com/ips/

What would happen when the following would be done:

I have WHIP setup with a custom-reverse-proxy which would use a header called: "HTTP_X_FORWARDED" for the clients real ip-address.

So let's say BOB sends a normal HTTP request from the ip-address of 1.1.1.1 through the reverse proxy (which is white-listed, and the PROXY_HEADERS mask is enabled).
The revere proxy would pass along the 1.1.1.1 fine, and then WHIP would see it and correctly tell the ip-address is 1.1.1.1

Now Bob sends an extra header with the following: "HTTP_CLIENT_IP: 2.2.2.2"
Would WHIP not see HTTP_CLIENT_IP: 2.2.2.2 before it saw "HTTP_X_FORWARDED: 1.1.1.1" and therefor assume (wrongly) that the client's ip-address is 2.2.2.2?

If so, a possible fix could be to parse all the headers in the PROXY_HEADERS and check if they're all equal, if not the request is probably malicious, and WHIP should throw an exception.

Is it possible to add ability to get ip addresses from behind a nginx proxy?
[HTTP_X_REAL_IP] => 80.235.6.194
[HTTP_X_FORWARDED_FOR] => 80.235.6.194
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_HOST] => oidprovider.com
[HTTP_CONNECTION] => close
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
[HTTP_SEC_FETCH_SITE] => none
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_DEST] => document
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9,et;q=0.8,fi;q=0.7
[HTTP_COOKIE] => PHPSESSID=nlb325t04th0t2g0377bfp4ehf
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[LD_LIBRARY_PATH] => /usr/local/apache2/lib

HTTP_X_REAL_IP is one of the headers used to pass real user IP. Is it supported? There is nothing in the docs.

Hi, @jdpanderson make very very good fix: #14 on May 17
But latest version from packagist still without this pull request.
Can you please update patch version for packagist.org ?

Hi,

I would like to use your lib, but I am getting unexpected results:

$_SERVER = array(
    'REMOTE_ADDR' => '24.24.24.24',
    'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS || Whip::REMOTE_ADDR );
echo $ip = $whip->getIpAddress(); //would expect 1.1.1.1

also this should not return false:

$_SERVER = array(
    'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS || Whip::REMOTE_ADDR );
echo $ip = $whip->getIpAddress();

this works:

$_SERVER = array(
    'HTTP_CF_CONNECTING_IP' => '1.1.1.1'
);
$whip = new Whip( Whip::CLOUDFLARE_HEADERS);
echo $ip = $whip->getIpAddress();

Hi
at first thank you for developing this package.
we use this package in wp-statistics WordPress Plugin in new Version.
https://wordpress.org/plugins/wp-statistics/

Problem :
For one of our users, the $_SERVER is :

also we use your package in plugin :

$whip    = new \Vectorface\Whip\Whip( Vectorface\Whip\Whip::PROXY_HEADERS | Vectorface\Whip\Whip::REMOTE_ADDR );
$user_ip = $whip->getValidIpAddress();

real client ip is : 51.255.84.122
$user_ip return a empty string for this user.
please help me .