Add noticeable warning regarding HTTP_* spoofing

xwp · Oct 16, 2023 · 9bcc490 · 9bcc490
1 parent 85bdc4d
commit 9bcc490
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/readme.txt b/readme.txt
@@ -65,19 +65,22 @@ With Stream’s powerful logging, you’ll have the valuable information you nee
  * WP-CLI command for querying records
 
 
-## Configuration
+== Configuration ==
 
 Most of the plugin configuration is available under the "Stream" → "Settings" page in the WordPress dashboard.
 
 
-### Request IP Address
+= Request IP Address =
 
-The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address or use the `wp_stream_client_ip_address` filter to do that:
+The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verified IP address of the current request. On hosting environments with PHP processing behind reverse proxies or CDNs the actual client IP is passed to PHP through request HTTP headers such as `X-Forwarded-For` and `True-Client-IP` which can't be trusted without an additional layer of validation. Update your server configuration to set the `$_SERVER['REMOTE_ADDR']` variable to the verified client IP address.
+
+As a workaround, you can use the `wp_stream_client_ip_address` filter to adapt the IP address:
 
 `add_filter(
 	'wp_stream_client_ip_address',
 	function( $client_ip ) {
 		// Trust the first IP in the X-Forwarded-For header.
+		// ⚠️ Note: This is inherently insecure and can easily be spoofed!
 		if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 			$forwarded_ips = explode( ',' $_SERVER['HTTP_X_FORWARDED_FOR'] );
 
@@ -90,13 +93,15 @@ The plugin expects the `$_SERVER['REMOTE_ADDR']` variable to contain the verifie
 	}
 );`
 
+⚠️ **WARNING:** The above is an insecure workaround that you should only use when you fully understand what this implies. Relying on any variable with the `HTTP_*` prefix is prone to spoofing and cannot be trusted!
+
 
-## Known Issues
+== Known Issues ==
 
  * We have temporarily disabled the data removal feature through plugin uninstallation, starting with version 3.9.3. We identified a few edge cases that did not behave as expected and we decided that a temporary removal is preferable at this time for such an impactful and irreversible operation. Our team is actively working on refining this feature to ensure it performs optimally and securely. We plan to reintroduce it in a future update with enhanced safeguards.
 
 
-## Contribute
+== Contribute ==
 
 There are several ways you can get involved to help make Stream better: