From b5afd441957623d8557df15db8c1dbfa9da220e1 Mon Sep 17 00:00:00 2001
From: Rob <robert.carr@owasp.org>
Date: Sat, 5 Oct 2019 18:21:28 +0100
Subject: [PATCH] Remove use of headers that can be used to bypass anti-brute
 force controls

---
 bl-kernel/security.class.php | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/bl-kernel/security.class.php b/bl-kernel/security.class.php
index e33232cf..ea724947 100644
--- a/bl-kernel/security.class.php
+++ b/bl-kernel/security.class.php
@@ -107,13 +107,6 @@ class Security extends dbJSON
 
 	public function getUserIp()
 	{
-		if (getenv('HTTP_X_FORWARDED_FOR')) {
-			$ip = getenv('HTTP_X_FORWARDED_FOR');
-		} elseif (getenv('HTTP_CLIENT_IP')) {
-			$ip = getenv('HTTP_CLIENT_IP');
-		} else {
-			$ip = getenv('REMOTE_ADDR');
-		}
-		return $ip;
+		return getenv('REMOTE_ADDR');
 	}
 }