When all IPs are trusted, use the furthest away
Scenario: we have a REMOTE_ADDR of `127.0.0.1`, and X-Forwarded-For is `A, B, C`. Without any relevant trust, the `remote_ip` is `C`. If `C` is trusted, then the `remote_ip` is `B`. If `B` and `C` are trusted, then the `remote_ip` is `A`. If all of `A`, `B`, and `C` are trusted, then the `remote_ip` should still be `A`: if our trust was sufficient to get that far out before, trusting something else should not have us fall back to `127.0.0.1`. It is this last situation that we're correcting here: We trust `A` to give us accurate X-Forwarded-For information, yet it has chosen to leave it unset. Therefore, `A` is telling us that it is itself the client.
Showing
想要评论请 注册 或 登录