Merge pull request #623 from ArthurHoaro/security/reverse-proxy-ban

Add trusted IPs in config and try to ban forwarded IP on failed login
author: Arthur <arthur@hoa.ro> 2016-10-12 14:48:57 +0200
committer: GitHub <noreply@github.com> 2016-10-12 14:48:57 +0200
commit: adcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch)
tree: e242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467 /application
parent: 24cfb960cfdd88255333bfb2a08d586916b460ae (diff)
parent: 50d179183810a7b719bc10da2b9c4a95fd9dddee (diff)
download: Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst
Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/application/HttpUtils.php b/application/HttpUtils.php
index 27a39d3d..e705cfd6 100644
--- a/application/HttpUtils.php
+++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
    }
    return index_url($server);
 }
+/**
+ * Retrieve the initial IP forwarded by the reverse proxy.
+ *
+ * Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
+ *
+ * @param array $server     $_SERVER array which contains HTTP headers.
+ * @param array $trustedIps List of trusted IP from the configuration.
+ *
+ * @return string|bool The forwarded IP, or false if none could be extracted.
+ */
+function getIpAddressFromProxy($server, $trustedIps)
+{
+    $forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
+    if (empty($server[$forwardedIpHeader])) {
+        return false;
+    }
+    $ips = preg_split('/\s*,\s*/', $server[$forwardedIpHeader]);
+    $ips = array_diff($ips, $trustedIps);
+    if (empty($ips)) {
+        return false;
+    }
+    return array_pop($ips);
+}
author	Arthur <arthur@hoa.ro>	2016-10-12 14:48:57 +0200
committer	GitHub <noreply@github.com>	2016-10-12 14:48:57 +0200
commit	adcdac1dec45090e2fa1cd4a340e91a40c7a205f (patch)
tree	e242ed8fe8f6ebf9ca02c1b4aca944f9f7bbd467 /application
parent	24cfb960cfdd88255333bfb2a08d586916b460ae (diff)
parent	50d179183810a7b719bc10da2b9c4a95fd9dddee (diff)
download	Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.gz Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.tar.zst Shaarli-adcdac1dec45090e2fa1cd4a340e91a40c7a205f.zip

diff --git a/application/HttpUtils.php b/application/HttpUtils.php index 27a39d3d..e705cfd6 100644 --- a/application/HttpUtils.php +++ b/application/HttpUtils.php
@@ -355,3 +355,29 @@ function page_url($server)
355	}	355	}
356	return index_url($server);	356	return index_url($server);
357	}	357	}
		358
		359	/**
		360	* Retrieve the initial IP forwarded by the reverse proxy.
		361	*
		362	* Inspired from: https://github.com/zendframework/zend-http/blob/master/src/PhpEnvironment/RemoteAddress.php
		363	*
		364	* @param array $server $_SERVER array which contains HTTP headers.
		365	* @param array $trustedIps List of trusted IP from the configuration.
		366	*
		367	* @return string\|bool The forwarded IP, or false if none could be extracted.
		368	*/
		369	function getIpAddressFromProxy($server, $trustedIps)
		370	{
		371	$forwardedIpHeader = 'HTTP_X_FORWARDED_FOR';
		372	if (empty($server[$forwardedIpHeader])) {
		373	return false;
		374	}
		375
		376	$ips = preg_split('/\s,\s/', $server[$forwardedIpHeader]);
		377	$ips = array_diff($ips, $trustedIps);
		378	if (empty($ips)) {
		379	return false;
		380	}
		381
		382	return array_pop($ips);
		383	}