-
Bug
-
Resolution: Fixed
-
Critical
-
3.5.13, 3.7.7, 3.8.4, 3.9, 3.10
-
MOODLE_310_STABLE, MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
MDL-69074-master -
This is probably caused by MDL-67861 (which I can't see). The new default getremoteaddrconf setting is 3 (GETREMOTEADDR_SKIP_HTTP_X_FORWARDED_FOR|GETREMOTEADDR_SKIP_HTTP_CLIENT_IP), allowing REMOTE_ADDR only by default. However, the default behavior in getremoteaddr() when no config value is set (during an installation for example) is still 0 (HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR allowed, in that order). If you install a clean Moodle installation behind a load balancer, your actual IP gets logged when you start the installation, because HTTP_X_FORWARDED_FOR is allowed. When you go to complete the installation you encounter error/admin/installhijacked, because the default config is now in place and Moodle is detecting the load balancer IP.
- caused a regression
-
MDL-69562 getremoteconfaddr cannot be set to HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, REMOTE_ADDR
- Closed
- has a non-specific relationship to
-
MDL-63770 Moodle doesn't work when external port number doesn't equal internal
- Closed
- Testing discovered
-
MDL-69247 Check that everyone doesn't have the same lastip address
- Closed