badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[core] trust x-forwarded-for from trusted proxies, see #800

Browse source
This commit is contained in:
Shish 2024-01-04 14:50:36 +00:00
parent 502d50c57d
commit c5395df243
3 changed files with 27 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/sys_config.php
View file

@ -37,4 +37,4 @@ _d("EXTRA_EXTS", ""); // string optional extra extensions
_d("BASE_HREF", null); // string force a specific base URL (default is auto-detect) _d("BASE_HREF", null); // string force a specific base URL (default is auto-detect)
_d("TRACE_FILE", null); // string file to log performance data into _d("TRACE_FILE", null); // string file to log performance data into
_d("TRACE_THRESHOLD", 0.0); // float log pages which take more time than this many seconds _d("TRACE_THRESHOLD", 0.0); // float log pages which take more time than this many seconds
_d("REVERSE_PROXY_X_HEADERS", false); // boolean get request IPs from "X-Real-IP" and protocol from "X-Forwarded-Proto" HTTP headers _d("TRUSTED_PROXIES", []); // array trust "X-Real-IP" / "X-Forwarded-For" / "X-Forwarded-Proto" headers from these IP ranges

38
core/util.php
View file

@ -54,7 +54,7 @@ function contact_link(): ?string
function is_https_enabled(): bool function is_https_enabled(): bool
{ {
// check forwarded protocol // check forwarded protocol
if (REVERSE_PROXY_X_HEADERS && !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { if (is_trusted_proxy() && !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS'] = 'on'; $_SERVER['HTTPS'] = 'on';
} }
return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'); return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
@ -148,25 +148,37 @@ function check_im_version(): int
return (empty($convert_check) ? 0 : 1); return (empty($convert_check) ? 0 : 1);
} }
/** function is_trusted_proxy(): bool
* Get request IP
*/
function get_remote_addr()
{ {
return $_SERVER['REMOTE_ADDR']; $ra = $_SERVER['REMOTE_ADDR'] ?? "0.0.0.0";
foreach(TRUSTED_PROXIES as $proxy) {
if(ip_in_range($ra, $proxy)) {
return true;
}
}
return false;
} }
/** /**
* Get real IP if behind a reverse proxy * Get real IP if behind a reverse proxy
*/ */
function get_real_ip() function get_real_ip()
{ {
$ip = get_remote_addr(); $ip = $_SERVER['REMOTE_ADDR'];
if (REVERSE_PROXY_X_HEADERS && isset($_SERVER['HTTP_X_REAL_IP'])) {
$ip = $_SERVER['HTTP_X_REAL_IP']; if(is_trusted_proxy()) {
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) { if (isset($_SERVER['HTTP_X_REAL_IP'])) {
$ip = "0.0.0.0"; if(filter_var($ip, FILTER_VALIDATE_IP)) {
$ip = $_SERVER['HTTP_X_REAL_IP'];
}
}
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$last_ip = $ips[count($ips) - 1];
if(filter_var($last_ip, FILTER_VALIDATE_IP)) {
$ip = $last_ip;
}
} }
} }

2
tests/defines.php
View file

@ -21,4 +21,4 @@ define("TIMEZONE", 'UTC');
define("BASE_HREF", "/test"); define("BASE_HREF", "/test");
define("CLI_LOG_LEVEL", 50); define("CLI_LOG_LEVEL", 50);
define("STATSD_HOST", null); define("STATSD_HOST", null);
define("REVERSE_PROXY_X_HEADERS", false); define("TRUSTED_PROXIES", []);