Merge pull request #4245 from tractorcow/pulls/3.1.14/fix-api

FIX Incorrect env setting in 3.1.13

core/Constants.php

@@ -94,7 +94,10 @@ function stripslashes_recursively(&$array) {
 if(!defined('TRUSTED_PROXY')) {
 	$trusted = true; // will be false by default in a future release
 
-	if(getenv('BlockUntrustedIPs') || defined('SS_TRUSTED_PROXY_IPS')) {
+	if(getenv('BlockUntrustedProxyHeaders') // Legacy setting (reverted from documentation)
+		|| getenv('BlockUntrustedIPs') // Documented setting
+		|| defined('SS_TRUSTED_PROXY_IPS')
+	) {
 		$trusted = false;
 
 		if(defined('SS_TRUSTED_PROXY_IPS') && SS_TRUSTED_PROXY_IPS !== 'none') {

docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md

@@ -509,15 +509,15 @@ If only trusted servers will make requests then you can use '*' to trust all cli
 Otherwise a comma separated list of individual IP addresses should be declared.
 
 This behaviour is enabled whenever SS_TRUSTED_PROXY_IPS is defined, or if the
-`BlockUntrustedProxyHeaders` environment variable is declared. From 3.1.13 onwards
-this environment variable is included in the installer by default.
+`BlockUntrustedIPs` environment variable is declared. It is advisable to include the
+following in your .htaccess to ensure this behaviour is activated.
 
 
 	<IfModule mod_env.c>
 		# Ensure that X-Forwarded-Host is only allowed to determine the request
 		# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php
 		# Note that in a future release this setting will be always on.
-		SetEnv BlockUntrustedProxyHeaders true
+		SetEnv BlockUntrustedIPs true
 	</IfModule>