0

I'm working on a system that relies in $_SERVER['REMOTE_ADDR'] to get the user address and check it against a white list of addresses. Is this approach safe? Or is there a way of forcing values in superglobal variables?

Thank you, Diogo

bmargulies
  • 97,814
  • 39
  • 186
  • 310
DiogoNeves
  • 1,727
  • 2
  • 17
  • 36
  • 2
    I don't know PHP so I can't tell if the term 'superglobal' is your's or PHP's. Either way, it makes me shudder. – spender Mar 09 '10 at 01:32
  • 3
    @spender: I know just enough PHP to tell you that it's not his term, and that your shudder is _fully_ justified. – SLaks Mar 09 '10 at 01:34
  • Why is it any more shudder worthy than the environmental variables that exist in every single other programming language? – Rob Mar 09 '10 at 01:38
  • Probably because it sounds like a hacky name to address the issue that the original 'global' wasn't quite global enough. I'm probably wrong though, and the reason for its name is more benign. – spender Mar 09 '10 at 01:41
  • 1
    Oh sorry, I see you were referring to the term "superglobals" and not $_SERVER. superglobals just differentiate between built in always-on variables available in any scope (environmental variables, get/post data, cookies), and user defined global variables. – Rob Mar 09 '10 at 01:44
  • A superglobal is a global variable that does not need to be explicitly imported into other scopes. I agree with the shudder in that they should be used very sparingly, if at all. – Pekka Mar 10 '10 at 01:48
  • They can't be used sparingly if you want your php application to do anything useful. Are you not going to use $_POST and $_GET because it makes you shudder for some unexplicable reason? Users cannot define a superglobal, there's nothing scary or dangerous about them. Just call them environmental variables if that makes them sound less scary, because that's essentially all they are. – Rob Mar 10 '10 at 16:41

4 Answers4

2

The value itself should be safe from outside injection - it is served by the web server - , but the client IP can be spoofed.

Related good reading: What is the most accurate way to retrieve a user’s correct IP address in PHP?

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • I don't agree that the IP can be spoofed. Sure, the user can be behind the proxy, but the IP can't actually be spoofed for a TCP protocol. See http://stackoverflow.com/questions/1180878/spoofing-the-origination-ip-address-of-an-http-request/1180938#1180938 – Matthew Flaschen Mar 09 '10 at 01:45
  • @Matthew I'm no expert in that field, but my understanding always was that it is possible to get a request with a spoofed IP *to* the web server, which can be enough when starting, say, a delete operation for which the attacker needs no feedback. Am I mistaken? – Pekka Mar 09 '10 at 01:47
  • 1
    I'm not an expert either, but AFAICT even a GET request requires a three-way handshake. So the IP can't be trivially forged – Matthew Flaschen Mar 09 '10 at 02:11
  • 1
    There is no three-way-handshake for a get request. see a get-example @ http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Example_session request => response – Phil Rykoff Mar 09 '10 at 07:21
  • @henchman: before HTTP information can be processed, there is a TCP-level handshake: http://stackoverflow.com/questions/1180878/spoofing-the-origination-ip-address-of-an-http-request/1180938#1180938 – Thilo Mar 10 '10 at 02:18
  • ahhh, so mea culpa :-) i normally don't go as deep as osi layer 4 :-) – Phil Rykoff Mar 10 '10 at 03:05
1

The approach is safe.

The entries in this array are created by the web server.

Phil Rykoff
  • 11,999
  • 3
  • 39
  • 63
1

The value in $_SERVER['REMOTE_ADDR'] is set by Apache (or whatever web server you're using), not by the user. So unless the user has access to the system itself (and not just web access), then you shouldn't have to worry about the user modifying it. You might, however, need to worry about addresses of proxies if you need to whitelist a user behind one.

Amber
  • 507,862
  • 82
  • 626
  • 550
  • Thanks! My problem would be if there was a way of tricking the web server (Apache in this case) to think that the address is something else :) – DiogoNeves Mar 10 '10 at 01:47
1

There is nothing the user can do to "force a value into this superglobal".

I am not sure if other PHP code could do that, but that should be under your control.

Also, if there are proxies between you and the user, you should check if the REMOTE_ADDR is set correctly. I would think that if you use Apache (and well-behaved proxies), that case would be handled properly.

Thilo
  • 257,207
  • 101
  • 511
  • 656