GHSA-vfm6-r2gc-pwww: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in Symfony's Request::getClientIp() method when the trust proxy mode is enabled. The issue was discovered by Damien Tournoud from the Drupal security team and disclosed on November 29, 2012. This vulnerability affects Symfony versions 2.0.0 through 2.0.19 and 2.1.0 through 2.1.4 (Symfony Blog).

The vulnerability exists in the Request::getClientIp() method when using the trust proxy mode enabled through Request::trustProxyData(). The issue occurs because the method automatically trusts the latest proxy in the chain, which is the current remote address, without proper validation of trusted proxy IP addresses (Symfony Blog).

Applications are vulnerable if they use the client IP address returned by the Request::getClientIp() method for sensitive decisions such as IP-based access control. This could potentially allow attackers to bypass IP-based security controls (Symfony Blog).

To fix this security issue, a new Request::setTrustedProxies() method was introduced to replace Request::trustProxyData(). The new method requires an array of trusted proxy IP addresses as its argument. For example: Request::setTrustedProxies(array('1.1.1.1')); where 1.1.1.1 is the IP address of a trusted reverse proxy. The old Request::trustProxyData() method has been deprecated. Users are encouraged to upgrade to versions 2.0.19 or 2.1.4 or apply the available security patches (Symfony Blog).