Search found 6 matches

by jasmineaura
Mon Sep 06, 2010 7:34 pm
Forum: [3.0/Olympus] Discussion
Topic: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation
Replies: 4
Views: 6779

Re: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validat

Finally able to login to the tracker
Issues described above, as well as possible abuse of HTTP_X_FORWARDED_FOR header issue, reported here: http://tracker.phpbb.com/browse/PHPBB3-9802
by jasmineaura
Mon Sep 06, 2010 7:10 am
Forum: [3.0/Olympus] Discussion
Topic: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation
Replies: 4
Views: 6779

Re: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validat

A logic issue as well:         // split the list of IPs         $ips = explode(' ', $this->ip);         // Default IP if REMOTE_ADDR is invalid         $this->ip = '127.0.0.1';         foreach ($ips as $ip)         {             // check IPv4 first, the IPv6 is hopefully only going to be used very s...
by jasmineaura
Mon Sep 06, 2010 5:42 am
Forum: [3.0/Olympus] Discussion
Topic: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation
Replies: 4
Views: 6779

Re: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validat

Additional note, also on session_begin(): $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';  htmlspecialchars is unneeded, as $this->ip will be set to '127.0.0.1' if the IP does not validate as ipv4 or ipv6 addr, and neither can be valid and yet...
by jasmineaura
Mon Sep 06, 2010 5:11 am
Forum: [3.0/Olympus] Discussion
Topic: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation
Replies: 4
Views: 6779

Re: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validat

On a side note: I know I probably should have posted this on the tracker (AJIRA), but I have been unable to login - per this post
by jasmineaura
Mon Sep 06, 2010 3:48 am
Forum: [3.0/Olympus] Discussion
Topic: Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation
Replies: 4
Views: 6779

Optimize session_begin REMOTE_ADDR/FORWARDED_FOR validation

Per this, as of date: http://code.phpbb.com/projects/phpbb/repository/entry/trunk/phpBB/includes/session.php 2 issues in session_begin()'s handling of REMOTE_ADDR and HTTP_X_FORWARDED_FOR: 1. the regex done on both $this->ip and $this->forwarded_for is redundant and adds a considerable delay $this->...
by jasmineaura
Tue Jun 29, 2010 6:42 pm
Forum: [3.x] Discussion
Topic: Mobile browser support
Replies: 17
Views: 21187

Re: Mobile browser support

So you're only going to cater to the 1-5% of the world that will have a laptop-sized mobile phone in their pockets when phpBB4 rolls out? I don't think that should be the focus of the mobile browser support if it were to be added in phpBB4. It should be a simple interface without any bells and whis...