summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG1
-rw-r--r--program/lib/Roundcube/rcube_utils.php14
-rw-r--r--program/steps/mail/sendmail.inc7
3 files changed, 16 insertions, 6 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 4736f3349..e3f2f582a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Fix handling of X-Forwarded-For header with multiple addresses (#1489481)
- Fix border issue on folders list in classic skin (#1489473)
- Implemented menu actions to copy/move messages, added folder-selector widget (#1484086)
- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index db41a6e86..fb5a8100d 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -680,9 +680,17 @@ class rcube_utils
*/
public static function remote_addr()
{
- foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) {
- if (!empty($_SERVER[$prop]))
- return $_SERVER[$prop];
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
+ return $hosts[0];
+ }
+
+ if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+ return $_SERVER['HTTP_X_REAL_IP'];
+ }
+
+ if (!empty($_SERVER['REMOTE_ADDR'])) {
+ return $_SERVER['REMOTE_ADDR'];
}
return '';
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index fe966a4d4..f26034fa4 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -345,9 +345,10 @@ if ($CONFIG['http_received_header'])
$nldlm = "\r\n\t";
// FROM/VIA
$http_header = 'from ';
- if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
- $host = $_SERVER['HTTP_X_FORWARDED_FOR'];
- $hostname = gethostbyaddr($host);
+ if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
+ $hostname = gethostbyaddr($hosts[0]);
+
if ($CONFIG['http_received_header_encrypt']) {
$http_header .= rcmail_encrypt_header($hostname);
if ($host != $hostname)