Last modified: 2010-05-15 15:37:20 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4069 - Transparent Proxy IP recorded instead of client's IP address
Transparent Proxy IP recorded instead of client's IP address
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
PC Windows 2000
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2005-11-25 00:51 UTC by Nathan Carter
Modified: 2010-05-15 15:37 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Nathan Carter 2005-11-25 00:51:51 UTC
It seems that Mediawiki records the IP address of a user's 
transaparent proxy if they are behind one instead of the 
actual user's IP address.

I believe that the HTTP_REFERRER tag can be used to pick up a 
client's IP address even if behind a transparent proxy
Comment 1 Brion Vibber 2005-11-25 19:51:38 UTC
We only get the IP address that's exposed to us. X-Forwarded-For headers added by 
proxies are not reliable; often they may be missing, and they are easy to forge, 
becoming a security issue if relied upon.

For specific known-good proxies, sometimes we may add them to our list of known proxies 
by which the headers are checked. For your own site, try adding them to 
Comment 2 Nathan Carter 2005-11-25 23:56:57 UTC
It is just frustrating when phpBB and the like get the 
true IP, yet MediaWiki picks up the proxy's IP (which in 
the case of a transparent proxy is improper).
Comment 3 Brion Vibber 2005-11-26 01:10:01 UTC
Would you prefer it when any vandal can fake their IP address with a completely false 
Comment 4 Nathan Carter 2005-11-26 07:24:23 UTC
They can do so using an anonymous proxy anyway. It is not 
common practie to record the transparent proxy's IP 
address. That is why they are transparent proxys because 
you can see the client through them.
Comment 5 Brion Vibber 2005-11-26 18:58:22 UTC
The proxy would be, in fact, their actual IP address.
Comment 6 Nathan Carter 2005-11-27 02:40:10 UTC
Not so with a transparent proxy. So much so when I visit 
my own site the web server records my true IP address, yet 
mediawiki picks the proxy.
Comment 7 Brion Vibber 2005-11-27 04:16:21 UTC
1) Is your own web site on the *inside* of the proxy?
2) If not, please provide the source code for the bit of the site that picks the 
address, and I'll let you know if it's vulnerable to attack with false headers. 
(Probably is.)

Note You need to log in before you can comment on or make changes to this bug.