You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since v0.3.2, the packages has been supporting restricting the servers allowed to send update requests to Meteor.
However, the current logic used for this relies on the IP at the other end of the HTTP request, which will usually be the last proxy on the chain from the user agent to Meteor, instead of being a reliable indicator of the user IP.
The code should allow:
relying on a chain of forwarding HTTP headers from a chain of trusted proxy IPs starting at the socket IP
disabling the mechanisme OR not allowing any updater, so it's not just a matter of giving one meaning to an empty updaters array.
Since v0.3.2, the packages has been supporting restricting the servers allowed to send update requests to Meteor.
However, the current logic used for this relies on the IP at the other end of the HTTP request, which will usually be the last proxy on the chain from the user agent to Meteor, instead of being a reliable indicator of the user IP.
The code should allow:
See https://github.com/symfony/symfony/search?q=%22public+function+getClientIps%28%29%22&unscoped_q=%22public+function+getClientIps%28%29%22 for a reasonably safe way to implement this.
The text was updated successfully, but these errors were encountered: