From 3fadac632c1d98aa6071728ada5af024e8eede88 Mon Sep 17 00:00:00 2001
From: Nick Couchman <nick.couchman@yahoo.com>
Date: Sat, 28 Jan 2017 12:58:53 -0500
Subject: [PATCH] GUACAMOLE-47: Remove XFF header code due to security
 concerns.

---
 .../java/org/apache/guacamole/rest/APIRequest.java    | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/APIRequest.java b/guacamole/src/main/java/org/apache/guacamole/rest/APIRequest.java
index 57839a5fd..bdef6f43b 100644
--- a/guacamole/src/main/java/org/apache/guacamole/rest/APIRequest.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/APIRequest.java
@@ -68,17 +68,14 @@ public class APIRequest extends HttpServletRequestWrapper {
 
         super(request);
 
-        // Try a few methods to get client info.
-        if (request.getHeader("X-Forwarded-For") != null && !request.getHeader("X-Forwarded-For").isEmpty())
-            this.remoteHost = null;
-        else if (request.getRemoteHost() != null && !request.getRemoteHost().isEmpty())
+        // Grab the remote host info.
+        if (request.getRemoteHost() != null && !request.getRemoteHost().isEmpty())
             this.remoteHost = request.getRemoteHost();
         else
             this.remoteHost = null;
 
-        if(request.getHeader("X-Forwarded-For") != null && !request.getHeader("X-Forwarded-For").isEmpty())
-            this.remoteAddr = request.getHeader("X-Forwarded-For");
-        else if(request.getRemoteHost() != null && !request.getRemoteAddr().isEmpty())
+	// Grab the remote ip info.
+        if(request.getRemoteHost() != null && !request.getRemoteAddr().isEmpty())
             this.remoteAddr = request.getRemoteAddr();
         else
             this.remoteAddr = null;