Conditions:
- Cloudflare protected website
- "Scrutinize User's IP address?" set to Yes in settings
- A user with IPv6 address
The result is, MyBB will show the false IPv4 address of the Cloudflare server instead. Causing an incorrect IP address to show.
The fix:
The cause is get_ip() function inside functions.php
Cloudflare brings the X-Forwarded-For HTTP header with uppercase letters.
As you know, IPv6 address can have letters from A to F since it allows for hexadecimal digits.
All $_SERVER['HTTP_*'] variables are actually HTTP headers and should be sanitized.
(2014-09-08, 04:46 PM)Jabberwock Wrote: [ -> ]Cloudflare brings the X-Forwarded-For HTTP header with uppercase letters.
Why do they do that? IPv6 addresses are lowercase almost everywhere.
I don't know but this should be pushed!
Why to push when you dont know how
We could add a check for the presence of the X-Forwarded-For HTTP header and run strtolower and use that as the IP if it is set...
(2014-09-09, 05:34 AM)Eldenroot Wrote: [ -> ]Why to push when you dont know how
"How"?
(2014-09-09, 06:19 PM)JordanMussi Wrote: [ -> ]We could add a check for the presence of the X-Forwarded-For HTTP header and run strtolower and use that as the IP if it is set...
Indeed. A simple fix. Already said it here:
http://community.mybb.com/thread-158754.html
Hi,
Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.
Follow this link to visit the issue on Github:
https://github.com/mybb/mybb/issues/1563
Thanks for contributing to MyBB!
Regards,
The MyBB Group