diff options
author | Thomas Bruederli <thomas@roundcube.net> | 2013-07-17 08:04:15 +0200 |
---|---|---|
committer | Thomas Bruederli <thomas@roundcube.net> | 2013-07-17 08:04:15 +0200 |
commit | 4d480b36ea4b503ed997b1b9c60c433b5508e4aa (patch) | |
tree | e273646d17b12142d8ee9d6cf69f710c8180a2cd | |
parent | 6d1e313788e5c7f7449616faf587a6215a381c95 (diff) |
Respect HTTP_X_FORWARDED_FOR and HTTP_X_REAL_IP variables for session IP check
-rw-r--r-- | program/lib/Roundcube/rcube_session.php | 8 | ||||
-rw-r--r-- | program/lib/Roundcube/rcube_utils.php | 15 |
2 files changed, 19 insertions, 4 deletions
diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php index 615ec6f0e..646933b71 100644 --- a/program/lib/Roundcube/rcube_session.php +++ b/program/lib/Roundcube/rcube_session.php @@ -54,7 +54,7 @@ class rcube_session { $this->db = $db; $this->start = microtime(true); - $this->ip = $_SERVER['REMOTE_ADDR']; + $this->ip = rcube_utils::remote_addr(); $this->logging = $config->get('log_session', false); $lifetime = $config->get('session_lifetime', 1) * 60; @@ -480,7 +480,7 @@ class rcube_session public function kill() { $this->vars = null; - $this->ip = $_SERVER['REMOTE_ADDR']; // update IP (might have changed) + $this->ip = rcube_utils::remote_addr(); // update IP (might have changed) $this->destroy(session_id()); rcube_utils::setcookie($this->cookiename, '-del-', time() - 60); } @@ -694,10 +694,10 @@ class rcube_session function check_auth() { $this->cookie = $_COOKIE[$this->cookiename]; - $result = $this->ip_check ? $_SERVER['REMOTE_ADDR'] == $this->ip : true; + $result = $this->ip_check ? rcube_utils::remote_addr() == $this->ip : true; if (!$result) { - $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']); + $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . rcube_utils::remote_addr()); } if ($result && $this->_mkcookie($this->now) != $this->cookie) { diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index 6c3bd2143..cf87dedb7 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -666,6 +666,21 @@ class rcube_utils /** + * Returns the real remote IP address + * + * @return string Remote IP address + */ + public static function remote_addr() + { + foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) { + if (!empty($_SERVER[$prop])) + return $_SERVER[$prop]; + } + + return ''; + } + + /** * Read a specific HTTP request header. * * @param string $name Header name |