Issue #34 resolved

Remote-Addr accepts data from HTTP headers

Anonymous created an issue

If an HTTP header named Remote-Addr is present, cpg.request.headerMap['Remote-Addr'] is set to it instead of the client's actual IP address, which could allow for very easy spoofing.

Why is the IP address put into headerMap, anyway? It seems to me like it should be a seperate attribute of cpg.request.

Reported by

Comments (4)

  1. Anonymous

    You're right, CP shouldn't just include remote-addr blindly ... I'll have to check when and why this header is there ... I think it may be how Apache passes it to CP or something ... But yes, CP should be smarter about this.

  2. Anonymous

    I think Remote-Addr is set by Apache when using mod_rewrite so it's still useful to know what its value is. What I've done is add cpg.remoteAddr and cpg.remoteHost that contain the actual informations about the client connecting to CP.

  3. Log in to comment