Hi,
phy25 opened a new pull request at
https://github.com/splitbrain/dokuwiki/pull/2892:
This fixes #2828, where malicious clients passed in customized HTTP header to
keep its IP address off records.
This is inspired by Sympony's Request::setTrustedProxies, but I don't want to
implement everything including IP CIDR matching (IPv4 + IPv6), so I decided to
reuse the local IP checker in place powered by regexp. Now admins can customize
this "local" (trusted) proxy list using $conf['trustedproxy'], and by default
it will allow any local IPs.
If in the future there is a need to implement array-based CIDR matching,
$conf['trustedproxies'] can be used for the new config name.
Please help us to review this pull request, so new contributors get feedback in
a timely manner.
b8a85c80-f39c-11e9-91e9-62260a44eb43
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist