Skip to content

Commit

Permalink
Add noticeable warning regarding HTTP_* spoofing
Browse files Browse the repository at this point in the history
  • Loading branch information
schlessera committed Oct 16, 2023
1 parent 88cbe8b commit 0d03cd4
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -65,19 +65,22 @@ With Stream’s powerful logging, you’ll have the valuable information you nee
* WP-CLI command for querying records


## Configuration
== Configuration ==

Most of the plugin configuration is available under the "Stream" → "Settings" page in the WordPress dashboard.


### Request IP Address
= Request IP Address =

The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that:
The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address.

As a workaround, you can use the `wp_stream_client_ip_address` filter to adapt the IP address:

`add_filter(
'wp_stream_client_ip_address',
function( $client_ip ) {
// Trust the first IP in the X-Forwarded-For header.
// ⚠️ Note: This is inherently insecure and can easily be spoofed!
if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
$forwarded_ips = explode( ',' $_SERVER['HTTP_X_FORWARDED_FOR'] );

Expand All @@ -90,13 +93,15 @@ The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verifie
}
);`

⚠️ **WARNING:** The above is an insecure workaround that you should only use when you fully understand what this implies. Relying on any variable with the `HTTP_*` prefix is prone to spoofing and cannot be trusted!


## Known Issues
== Known Issues ==

* We have temporarily disabled the data removal feature through plugin uninstallation, starting with version 3.9.3. We identified a few edge cases that did not behave as expected and we decided that a temporary removal is preferable at this time for such an impactful and irreversible operation. Our team is actively working on refining this feature to ensure it performs optimally and securely. We plan to reintroduce it in a future update with enhanced safeguards.


## Contribute
== Contribute ==

There are several ways you can get involved to help make Stream better:

Expand Down

0 comments on commit 0d03cd4

Please sign in to comment.