Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible that REMOTE_ADDR could be blank?

Tags:

php

networking

webserver

As far as I'm aware, the webserver (Apache/Nginx) provides the ($_SERVER['REMOTE_ADDR']) based on the claimed location of the requesting user agent. So I understand they can be lying, but is it possible that this value could be blank? Would the network interface or webserver even accept a request without a correctly formed IP?

http://php.net/manual/en/reserved.variables.server.php

like image 288
Xeoncross Avatar asked Feb 25 '23 18:02

Xeoncross

2 Answers

It is theoretically possible, as the matter is up to the http server or at least the corresponding PHP SAPI.

In practice, I haven't encountered such a situation, except with the CLI SAPI.

EDIT: For Apache, it would seem this is always set, as ap_add_common_vars always adds it to the table that ends up being read by the Apache module PHP SAPI (disclaimer: I have very limited knowledge of Apache internals).

If using PHP in a CGI environment, the specification in RFC 3875 seems to guarantee the existence of this variable:

4.1.8.  REMOTE_ADDR

   The REMOTE_ADDR variable MUST be set to the network address of the
   client sending the request to the server.
like image 143
Artefacto Avatar answered Mar 04 '23 15:03

Artefacto

Yes. I currently see values of "unknown" in my logs of Apache-behind-Nginx, for what looks like a normal request/response sequence in the logs. I believe this is possible because mod_extract_forwarded is modifying the request to reset REMOTE_ADDR based on data in the X-Forwarded-For header. So, the original REMOTE_ADDR value was likely valid, but as part of passing through our reverse proxy and Apache, REMOTE_ADDR appears invalid by the time it arrives at the application.

If you have installed Perl's libwww-perl, you can test this situation like this (changing example.com to be your own domain or application):

HEAD -H 'X-Forwarded-For: ' -sSe http://www.example.com/
HEAD -H 'X-Forwarded-For: HIMOM' -sSe http://www.example.com/
HEAD -H 'X-Forwarded-For: <iframe src=http://example.com>' -sSe http://www.example.com/

( You can also use any other tool that allows you to handcraft HTTP requests with custom request headers. )

Now, go check your access logs to see what values they logged, and check your applications to see how they handled the bad input. `

like image 40
Mark Stosberg Avatar answered Mar 04 '23 15:03

Mark Stosberg
Sign in to Comment

Related questions

CodeIgniter app shows 404 when moved to production
Shorten URL text on links like stackoverflow?
Weighted voting system with karma
PHP, MySQL, and AES Encryption / Decryption for User Data
PHP's range function in Java
PHP mail() function sends the email but it takes more than 10 mins to show up
cakephp: how to set multiple validation in model for different actions?
PHP file upload keeps throwing error
Pulling Oracle CLOB's different than VARCHAR2?
documenting cakephp project
Mysterious number appears above Drupal-generated HTML when visiting page for first time
Showing time elapsed with php
Can't Upload File on IIS
autoload functions in php [duplicate]
MySQL select random row with JOIN from two tables
How do I search part of a string in MongoDB?
PHP Date format
Will it make any diffrence to my script if i use && instead of AND?
Is fopen() limited by the filesystem?
How to get related values in Yii?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!