diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-08-03 10:36:47 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-08-03 10:36:47 +0200 |
commit | 50d179183810a7b719bc10da2b9c4a95fd9dddee (patch) | |
tree | e669db360950025b4b6534075e940f532b0f00f3 /application | |
parent | c7a42ab1d9b21bf53cd30bc57b57789716c8711b (diff) | |
download | Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.gz Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.tar.zst Shaarli-50d179183810a7b719bc10da2b9c4a95fd9dddee.zip |
Add trusted IPs in config and try to ban forwarded IP on failed login
* Add a new settings (which needs to be manually set): `security.trusted_proxies`
* On login failure, if the `REMOTE_ADDR` is in the trusted proxies, try to retrieve the forwarded IP in headers.
* If found, the client address is added in ipbans, else we do nothing.
Fixes #409
Diffstat (limited to 'application')
-rw-r--r-- | application/HttpUtils.php | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 2e0792f9..354d261c 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php | |||
@@ -215,3 +215,29 @@ function page_url($server) | |||
215 | } | 215 | } |
216 | return index_url($server); | 216 | return index_url($server); |
217 | } | 217 | } |
218 | |||
219 | /** | ||
220 | * Retrieve the initial IP forwarded by the reverse proxy. | ||
221 | * | ||
222 | * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php | ||
223 | * | ||
224 | * @param array $server $_SERVER array which contains HTTP headers. | ||
225 | * @param array $trustedIps List of trusted IP from the configuration. | ||
226 | * | ||
227 | * @return string|bool The forwarded IP, or false if none could be extracted. | ||
228 | */ | ||
229 | function getIpAddressFromProxy($server, $trustedIps) | ||
230 | { | ||
231 | $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR'; | ||
232 | if (empty($server[$forwardedIpHeader])) { | ||
233 | return false; | ||
234 | } | ||
235 | |||
236 | $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]); | ||
237 | $ips = array_diff($ips, $trustedIps); | ||
238 | if (empty($ips)) { | ||
239 | return false; | ||
240 | } | ||
241 | |||
242 | return array_pop($ips); | ||
243 | } | ||