aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorArthur <arthur@hoa.ro>2016-10-12 14:48:57 +0200
committerGitHub <noreply@github.com>2016-10-12 14:48:57 +0200
commitadcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch)
treee242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467
parent24cfb960cfdd88255333bfb2a08d586916b460ae (diff)
parent50d179183810a7b719bc10da2b9c4a95fd9dddee (diff)
downloadShaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip
Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban
Add trusted IPs in config and try to ban forwarded IP on failed login
-rw-r--r--application/HttpUtils.php26
-rw-r--r--index.php11
-rw-r--r--tests/HttpUtils/GetIpAdressFromProxyTest.php58
3 files changed, 94 insertions, 1 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 27a39d3d..e705cfd6 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
355 } 355 }
356 return index_url($server); 356 return index_url($server);
357} 357}
358
359/**
360 * Retrieve the initial IP forwarded by the reverse proxy.
361 *
362 * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
363 *
364 * @param array $server $_SERVER array which contains HTTP headers.
365 * @param array $trustedIps List of trusted IP from the configuration.
366 *
367 * @return string|bool The forwarded IP, or false if none could be extracted.
368 */
369function getIpAddressFromProxy($server, $trustedIps)
370{
371 $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
372 if (empty($server[$forwardedIpHeader])) {
373 return false;
374 }
375
376 $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]);
377 $ips = array_diff($ips, $trustedIps);
378 if (empty($ips)) {
379 return false;
380 }
381
382 return array_pop($ips);
383}
diff --git a/index.php b/index.php
index f9f24895..9f50d153 100644
--- a/index.php
+++ b/index.php
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php');
332function ban_loginFailed($conf) 332function ban_loginFailed($conf)
333{ 333{
334 $ip = $_SERVER['REMOTE_ADDR']; 334 $ip = $_SERVER['REMOTE_ADDR'];
335 $trusted = $conf->get('security.trusted_proxies', array());
336 if (in_array($ip, $trusted)) {
337 $ip = getIpAddressFromProxy($_SERVER, $trusted);
338 if (!$ip) {
339 return;
340 }
341 }
335 $gb = $GLOBALS['IPBANS']; 342 $gb = $GLOBALS['IPBANS'];
336 if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; 343 if (! isset($gb['FAILURES'][$ip])) {
344 $gb['FAILURES'][$ip]=0;
345 }
337 $gb['FAILURES'][$ip]++; 346 $gb['FAILURES'][$ip]++;
338 if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) 347 if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1))
339 { 348 {
diff --git a/tests/HttpUtils/GetIpAdressFromProxyTest.php b/tests/HttpUtils/GetIpAdressFromProxyTest.php
new file mode 100644
index 00000000..6a74a45a
--- /dev/null
+++ b/tests/HttpUtils/GetIpAdressFromProxyTest.php
@@ -0,0 +1,58 @@
1<?php
2
3require_once 'application/HttpUtils.php';
4
5/**
6 * Unitary tests for getIpAddressFromProxy()
7 */
8class GetIpAdressFromProxyTest extends PHPUnit_Framework_TestCase {
9
10 /**
11 * Test without proxy
12 */
13 public function testWithoutProxy()
14 {
15 $this->assertFalse(getIpAddressFromProxy(array(), array()));
16 }
17
18 /**
19 * Test with a single IP in proxy header.
20 */
21 public function testWithOneForwardedIp()
22 {
23 $ip = '1.1.1.1';
24 $server = array('HTTP_X_FORWARDED_FOR' => $ip);
25 $this->assertEquals($ip, getIpAddressFromProxy($server, array()));
26 }
27
28 /**
29 * Test with a multiple IPs in proxy header.
30 */
31 public function testWithMultipleForwardedIp()
32 {
33 $ip = '1.1.1.1';
34 $ip2 = '2.2.2.2';
35
36 $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
37 $this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
38
39 $server = array('HTTP_X_FORWARDED_FOR' => $ip .' , '. $ip2);
40 $this->assertEquals($ip2, getIpAddressFromProxy($server, array()));
41 }
42
43 /**
44 * Test with a trusted IP address.
45 */
46 public function testWithTrustedIp()
47 {
48 $ip = '1.1.1.1';
49 $ip2 = '2.2.2.2';
50
51 $server = array('HTTP_X_FORWARDED_FOR' => $ip);
52 $this->assertFalse(getIpAddressFromProxy($server, array($ip)));
53
54 $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2);
55 $this->assertEquals($ip2, getIpAddressFromProxy($server, array($ip)));
56 $this->assertFalse(getIpAddressFromProxy($server, array($ip, $ip2)));
57 }
58}