Remote-Addr accepts data from HTTP headers
If an HTTP header named Remote-Addr is present, cpg.request.headerMap['Remote-Addr'] is set to it instead of the client's actual IP address, which could allow for very easy spoofing.
Why is the IP address put into headerMap, anyway? It seems to me like it should be a seperate attribute of cpg.request.
Reported by firstname.lastname@example.org