From 7c39adf71ac2eea8cfd8ecd1c49dc9cf4354b877 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 30 Sep 2015 17:39:51 +0000
Subject: [PATCH] (captiveportal, new) only accept X-Forwarded-For from
 localhost, thanks  @fabianfrz

---
 .../OPNsense/CaptivePortal/Api/AccessController.php            | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
index 156fd9291..d82abed03 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
@@ -73,7 +73,8 @@ class AccessController extends ApiControllerBase
     private function getClientIp()
     {
       // determine orginal sender of this request
-      if ($this->request->getHeader('X-Forwarded-For') != "") {
+      $trusted_proxy = array("127.0.0.1");
+      if ($this->request->getHeader('X-Forwarded-For') != "" && in_array($this->request->getClientAddress(), $trusted_proxy) ) {
           // use X-Forwarded-For header to determine real client
           return $this->request->getHeader('X-Forwarded-For');
       } else {