From 8944af57cbd1fd2962b6adeaed76c6cd41712453 Mon Sep 17 00:00:00 2001
From: Robin McCorkell <rmccorkell@karoshi.org.uk>
Date: Sat, 25 Jul 2015 18:10:21 +0100
Subject: [PATCH] Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'

---
 config/config.sample.php                  | 8 +++++++-
 lib/private/appframework/http/request.php | 5 ++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/config/config.sample.php b/config/config.sample.php
index 3b5632087f..5c362e9425 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -1017,7 +1017,13 @@ $CONFIG = array(
 
 /**
  * Headers that should be trusted as client IP address in combination with
- * `trusted_proxies`
+ * `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
+ * 'HTTP_X_FORWARDED_FOR' here.
+ *
+ * If set incorrectly, a client can spoof their IP address as visible to
+ * ownCloud, bypassing access controls and making logs useless!
+ *
+ * Defaults to 'HTTP_X_FORWARED_FOR' if unset
  */
 'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
 
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index 43f01dfde3..aaad286e84 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -452,7 +452,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
 
 		if(is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
-			$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', []);
+			$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
+				'HTTP_X_FORWARDED_FOR'
+				// only have one default, so we cannot ship an insecure product out of the box
+			]);
 
 			foreach($forwardedForHeaders as $header) {
 				if(isset($this->server[$header])) {