From a520f331c16fc703cc92d5b9853fb91805f82305 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 17 Dec 2013 09:21:05 +0100 Subject: Fix handling of X-Forwarded-For header with multiple addresses (#1489481) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_utils.php | 14 +++++++++++--- program/steps/mail/sendmail.inc | 7 ++++--- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4736f3349..e3f2f582a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix handling of X-Forwarded-For header with multiple addresses (#1489481) - Fix border issue on folders list in classic skin (#1489473) - Implemented menu actions to copy/move messages, added folder-selector widget (#1484086) - Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477) diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index db41a6e86..fb5a8100d 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -680,9 +680,17 @@ class rcube_utils */ public static function remote_addr() { - foreach (array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR') as $prop) { - if (!empty($_SERVER[$prop])) - return $_SERVER[$prop]; + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2); + return $hosts[0]; + } + + if (!empty($_SERVER['HTTP_X_REAL_IP'])) { + return $_SERVER['HTTP_X_REAL_IP']; + } + + if (!empty($_SERVER['REMOTE_ADDR'])) { + return $_SERVER['REMOTE_ADDR']; } return ''; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index fe966a4d4..f26034fa4 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -345,9 +345,10 @@ if ($CONFIG['http_received_header']) $nldlm = "\r\n\t"; // FROM/VIA $http_header = 'from '; - if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { - $host = $_SERVER['HTTP_X_FORWARDED_FOR']; - $hostname = gethostbyaddr($host); + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2); + $hostname = gethostbyaddr($hosts[0]); + if ($CONFIG['http_received_header_encrypt']) { $http_header .= rcmail_encrypt_header($hostname); if ($host != $hostname) -- cgit v1.2.3