diff options
author | Arthur <arthur@hoa.ro> | 2016-10-12 14:48:57 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-12 14:48:57 +0200 |
commit | adcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch) | |
tree | e242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467 | |
parent | 24cfb960cfdd88255333bfb2a08d586916b460ae (diff) | |
parent | 50d179183810a7b719bc10da2b9c4a95fd9dddee (diff) | |
download | Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip |
Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban
Add trusted IPs in config and try to ban forwarded IP on failed login
-rw-r--r-- | application/HttpUtils.php | 26 | ||||
-rw-r--r-- | index.php | 11 | ||||
-rw-r--r-- | tests/HttpUtils/GetIpAdressFromProxyTest.php | 58 |
3 files changed, 94 insertions, 1 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 27a39d3d..e705cfd6 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php | |||
@@ -355,3 +355,29 @@ function page_url($server) | |||
355 | } | 355 | } |
356 | return index_url($server); | 356 | return index_url($server); |
357 | } | 357 | } |
358 | |||
359 | /** | ||
360 | * Retrieve the initial IP forwarded by the reverse proxy. | ||
361 | * | ||
362 | * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php | ||
363 | * | ||
364 | * @param array $server $_SERVER array which contains HTTP headers. | ||
365 | * @param array $trustedIps List of trusted IP from the configuration. | ||
366 | * | ||
367 | * @return string|bool The forwarded IP, or false if none could be extracted. | ||
368 | */ | ||
369 | function getIpAddressFromProxy($server, $trustedIps) | ||
370 | { | ||
371 | $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR'; | ||
372 | if (empty($server[$forwardedIpHeader])) { | ||
373 | return false; | ||
374 | } | ||
375 | |||
376 | $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]); | ||
377 | $ips = array_diff($ips, $trustedIps); | ||
378 | if (empty($ips)) { | ||
379 | return false; | ||
380 | } | ||
381 | |||
382 | return array_pop($ips); | ||
383 | } | ||
@@ -332,8 +332,17 @@ include $conf->get('resource.ban_file', 'data/ipbans.php'); | |||
332 | function ban_loginFailed($conf) | 332 | function ban_loginFailed($conf) |
333 | { | 333 | { |
334 | $ip = $_SERVER['REMOTE_ADDR']; | 334 | $ip = $_SERVER['REMOTE_ADDR']; |
335 | $trusted = $conf->get('security.trusted_proxies', array()); | ||
336 | if (in_array($ip, $trusted)) { | ||
337 | $ip = getIpAddressFromProxy($_SERVER, $trusted); | ||
338 | if (!$ip) { | ||
339 | return; | ||
340 | } | ||
341 | } | ||
335 | $gb = $GLOBALS['IPBANS']; | 342 | $gb = $GLOBALS['IPBANS']; |
336 | if (!isset($gb['FAILURES'][$ip])) $gb['FAILURES'][$ip]=0; | 343 | if (! isset($gb['FAILURES'][$ip])) { |
344 | $gb['FAILURES'][$ip]=0; | ||
345 | } | ||
337 | $gb['FAILURES'][$ip]++; | 346 | $gb['FAILURES'][$ip]++; |
338 | if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) | 347 | if ($gb['FAILURES'][$ip] > ($conf->get('security.ban_after') - 1)) |
339 | { | 348 | { |
diff --git a/tests/HttpUtils/GetIpAdressFromProxyTest.php b/tests/HttpUtils/GetIpAdressFromProxyTest.php new file mode 100644 index 00000000..6a74a45a --- /dev/null +++ b/tests/HttpUtils/GetIpAdressFromProxyTest.php | |||
@@ -0,0 +1,58 @@ | |||
1 | <?php | ||
2 | |||
3 | require_once 'application/HttpUtils.php'; | ||
4 | |||
5 | /** | ||
6 | * Unitary tests for getIpAddressFromProxy() | ||
7 | */ | ||
8 | class GetIpAdressFromProxyTest extends PHPUnit_Framework_TestCase { | ||
9 | |||
10 | /** | ||
11 | * Test without proxy | ||
12 | */ | ||
13 | public function testWithoutProxy() | ||
14 | { | ||
15 | $this->assertFalse(getIpAddressFromProxy(array(), array())); | ||
16 | } | ||
17 | |||
18 | /** | ||
19 | * Test with a single IP in proxy header. | ||
20 | */ | ||
21 | public function testWithOneForwardedIp() | ||
22 | { | ||
23 | $ip = '1.1.1.1'; | ||
24 | $server = array('HTTP_X_FORWARDED_FOR' => $ip); | ||
25 | $this->assertEquals($ip, getIpAddressFromProxy($server, array())); | ||
26 | } | ||
27 | |||
28 | /** | ||
29 | * Test with a multiple IPs in proxy header. | ||
30 | */ | ||
31 | public function testWithMultipleForwardedIp() | ||
32 | { | ||
33 | $ip = '1.1.1.1'; | ||
34 | $ip2 = '2.2.2.2'; | ||
35 | |||
36 | $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2); | ||
37 | $this->assertEquals($ip2, getIpAddressFromProxy($server, array())); | ||
38 | |||
39 | $server = array('HTTP_X_FORWARDED_FOR' => $ip .' , '. $ip2); | ||
40 | $this->assertEquals($ip2, getIpAddressFromProxy($server, array())); | ||
41 | } | ||
42 | |||
43 | /** | ||
44 | * Test with a trusted IP address. | ||
45 | */ | ||
46 | public function testWithTrustedIp() | ||
47 | { | ||
48 | $ip = '1.1.1.1'; | ||
49 | $ip2 = '2.2.2.2'; | ||
50 | |||
51 | $server = array('HTTP_X_FORWARDED_FOR' => $ip); | ||
52 | $this->assertFalse(getIpAddressFromProxy($server, array($ip))); | ||
53 | |||
54 | $server = array('HTTP_X_FORWARDED_FOR' => $ip .','. $ip2); | ||
55 | $this->assertEquals($ip2, getIpAddressFromProxy($server, array($ip))); | ||
56 | $this->assertFalse(getIpAddressFromProxy($server, array($ip, $ip2))); | ||
57 | } | ||
58 | } | ||