phy25 opened a new pull request at
This fixes #2828, where malicious clients passed in customized HTTP header to
keep its IP address off records.
This is inspired by Sympony's Request::setTrustedProxies, but I don't want to
implement everything including IP CIDR matching (IPv4 + IPv6), so I decided to
reuse the local IP checker in place powered by regexp. Now admins can customize
this "local" (trusted) proxy list using $conf['trustedproxy'], and by default
it will allow any local IPs.
If in the future there is a need to implement array-based CIDR matching,
$conf['trustedproxies'] can be used for the new config name.
Please help us to review this pull request, so new contributors get feedback in
a timely manner.
DokuWiki mailing list - more info at