Update: Use better method to get IP address #9
Assignees
Comments
lukasmatusiewicz
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I downloaded your software yesterday but i'm still struggling get it running (it will not activate on any account, i only added the PI URL and the "active" checkmark in settings for use with OTP only).
But while debugging I found something security related. In the getClientIp function in the Provider class you check HTTP_X_FORWARDED_FOR for the IP with the highest priority. So everyone which can set this header can spoof any IP. There is a global setting in nextcloud, 'trusted_proxies', which you should check additionally and use this header only, if the reals IP is in this configuration array. Simple solution should be to use getRemoteAddress() from the Request-Class you are already using, which will check this.
Alex
The text was updated successfully, but these errors were encountered: