summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2013-12-17 09:21:05 +0100
committerAleksander Machniak <alec@alec.pl>2013-12-17 09:21:05 +0100
commita520f331c16fc703cc92d5b9853fb91805f82305 (patch)
treef2d28e85b2bfa09a1080577e084c8c50b5c58ae8 /program
parent7b1969ad609a0fe94534bc33453bd20f5796e2a6 (diff)
Fix handling of X-Forwarded-For header with multiple addresses (#1489481)
Diffstat (limited to 'program')
-rw-r--r--program/lib/Roundcube/rcube_utils.php14
-rw-r--r--program/steps/mail/sendmail.inc7
2 files changed, 15 insertions, 6 deletions
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index db41a6e86..fb5a8100d 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -680,9 +680,17 @@ class rcube_utils
*/
public static function remote_addr()
{
- foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) {
- if (!empty($_SERVER[$prop]))
- return $_SERVER[$prop];
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
+ return $hosts[0];
+ }
+
+ if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+ return $_SERVER['HTTP_X_REAL_IP'];
+ }
+
+ if (!empty($_SERVER['REMOTE_ADDR'])) {
+ return $_SERVER['REMOTE_ADDR'];
}
return '';
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index fe966a4d4..f26034fa4 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -345,9 +345,10 @@ if ($CONFIG['http_received_header'])
$nldlm = "\r\n\t";
// FROM/VIA
$http_header = 'from ';
- if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
- $host = $_SERVER['HTTP_X_FORWARDED_FOR'];
- $hostname = gethostbyaddr($host);
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
+ $hostname = gethostbyaddr($hosts[0]);
+
if ($CONFIG['http_received_header_encrypt']) {
$http_header .= rcmail_encrypt_header($hostname);
if ($host != $hostname)