Request::getClientIp returns incorrect IP if request is forwarded more than once

[JeffreyMoerman]

The Request::getClientIp method reports the wrong IP when using a server setup that has multiple request forwarding steps.

As described in Request::getClientIps this method returns the IP addresses in order of trust where the 'real' client IP address is the last one.

As described in Request::getClientIp this method should return the left most IP address of the 'X-Forwarded-For' header. It internally calls getClientIps and returns the first element of the array. Because getClientIps reverses order getClientIp returns an incorrect IP.

This was tested against Symfony 2.7.9 and seems to exist in versions 2.3 and up.

Real Client IP: 123.123.123.123
AWS CloudFront: 216.137.60.7
AWS Elastic Loadbalancer: 172.31.17.74

Related headers:
$_SERVER["HTTP_X_FORWARDED_FOR"] = "123.123.123.123, 216.137.60.7";
$_SERVER["REMOTE_ADDR"] = "172.31.17.74";

framework.trusted_proxies:
- 172.31.0.0/16

var_dump($request->getClientIps()); // array(216.137.60.7, 123.123.123.123)
var_dump($request->getClientIp()); // 216.137.60.7

[stof]

Well, it is totally logical that you get the AWS cloudfront as the client ip, as this is not registered as a trusted proxy, and so this is the untrusted client calling you app (the fact that this client is itself a proxy does not matter, as you don't trust it).